An unencrypted USB drive has ended up costing one dermatology practice, which has settled with the Department of Health and Human Services for failing to address HITECH’s breach notification provisions.
Adult & Pediatric Dermatology (known as APDerm), which provides dermatology services in Massachusetts and New Hampshire, agreed on a settlement of $150,000 for privacy and security violations, and will be required to put a corrective action plan in place to fix deficiencies in its HIPAA compliance program, according to a notice posted Dec. 26 on the HHS website.
It’s the first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of the HITECH Act, say officicials from HHS’ Office for Civil Rights.
OCR launched its investigation of APDerm after being tipped off that an unencrypted thumb drive containing the protected health information of some 2,200 people was stolen from a vehicle of one its staff members. The drive was never recovered.
The investigation revealed that APDerm had not conducted an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of PHI as part of its security management process, officials say.
About the Journal of Legal Technology Risk Management
The Journal of Legal Technology Risk Management (“LTRM”) provides a public peer-reviewed professional forum for the open discussion and education of legal professionals concerning the legal issues faced by businesses and governments in the use of information technology as an enabling infrastructure. LTRM articles are written by both academic and legal practitioners and focus on legal risk ratios respective to digital driven technologies. The JLTRM seeks to heighten awareness of the intersection between business technology and regulatory compliance and risk among: general legal experts; technology-legal specialists; audit specialists; and legal scholars.
The Journal of Legal Technology Risk Management (ISSN 1932-5584) is published twice per year by top legal professionals and scholars from the law, technology, and business industries. The views expressed in the Journal of Legal Technology Risk Management Policy are those of the authors and not necessarily of the Journal of Legal Technology Risk Management or the Lexeprint Inc — the publishing company.