Yesterday, the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services announced a HIPAA settlement with a Massachusetts and New Hampshire dermatology practice for failure to perform risk analysis as required under the HIPAA Security Rule, implement written breach notification policies and procedures and provide breach notification training. The investigation resulted from a report of the theft of an unencrypted thumb drive from a vehicle. The physician practice, Adult & Pediatric Dermatology, P.C., is required to pay a $150,000 fine and enter into a corrective action plan.
HIPAA covered entities and business associates should take seriously the comments of OCR Director Leon Rodriguez, who warned in the press release that “As we say in health care, an ounce of prevention is worth a pound of cure. That is what a good risk management process is all about – identifying and mitigating the risk before a bad thing happens. Covered entities of all sizes need to give priority to securing electronic protected health information.” See http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/apderm-agreement.html