Dermatology Clinic First to Accrue Fine For HIPAA Violation
A dermatology clinic, Adult & Pediatric Dermatology, P.C., of Concord, Mass., (APDerm), has been the first medical practice to be fined for violating the Health Insurance Portability and Accountability Act of 1996 (HIPAA). They have agreed to pay $150,000 for a breach in data and implement comprehensive HIPAA compliance programs.
The breach took place on September 14, 2011 when a thumb drive containing the electronic protected health information (ePHI) of 2,200 individuals was stolen out of a staff member’s locked car. The thumb drive was never recovered. The stolen data did not include credit card numbers, phone numbers, addresses, health insurance numbers, or Social Security numbers. However, it did include operation reports, consultation letters, and photographs of surgical skin cancer procedures.
The HHS Office for Civil Rights (OCR) conducted an investigation and determined that APDerm did not provide an “accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI as part of its security management process.” In addition to the fine, APDerm is required to take corrective action through developing a risk analysis and risk management plan that will address security risks and vulnerabilities. OCR Director Leon Rodriguez commented, “This is what good risk management process is all about—identifying and mitigating the risk before a bad thing happens.”
APDerm released a statement saying that, while the flash drive did not contain any financial or sensitive health information, they have “reached out to every patient that may have been affected and have worked diligently to put measures in place to ensure the safety and security of our patient’s information.”