On December 28, 2013, Concord, Massachusetts-based Adult & Pediatric Dermatology (APDerm) agreed to pay $150,000 to settle potential violations of HIPAA rules and agreed to implement corrective actions.
This organization lost ePHI for about 2,200 individuals that was located on an unencrypted thumb drive. We have talked before about the dangers of thumb drives in the context of HIPAA. We have also noted other cases where companies where charged due to the loss of ePHI. The notable difference here is that investigation showed that APDerm: (ref)
…had not conducted an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI as part of its security management process. Further, APDerm did not fully comply with requirements of the Breach Notification Rule to have in place written policies and procedures and train workforce members.
This settlement is the first ever for charges against a covered entity or business associate for failing to adopt required policies and procedures for breach notification. APDerm was willfully negligent in not bothering to develop and follow the required HIPAA policies and procedures and that negligence resulted in a breach.
Read the rest of this post »