Settlement Reached for HIPAA Security Rule Violation

In the government’s first settlement with a covered entity for failing to have written policies and procedures in place to address the breach notification provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, a Massachusetts dermatology office agreed to pay $150,000.00 and implement a corrective action plan.

The U.S. Department of Health and Human Services, Office of Civil Rights (“HHS”) began an investigation of Adult & Pediatric Dermatology (APDerm), a Massachusetts dermatology practice, when it received notice that an unencrypted thumb drive containing electronic protected health information was stolen from an employee’s car.   According to the December 26, 2013 press release from HHS:

“The investigation revealed that APDerm had not conducted an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI as part of its security management process.  Further, APDerm did not fully comply with requirements of the Breach Notification Rule to have in place written policies and procedures and train workforce members.”

The Resolution Agreement, available at, specifies that APDerm did notify patients of the theft of ePHI within 30 days of the thumb drive being stolen, and APDerm provided media notice.  However, APDerm failed to have written policies and procedures regarding breach notification,  and to train its workforce on those policies.   APDerm also apparently failed to conduct the required analysis of potential risks and vulnerabilities of the ePHI until almost a year after HHS began its investigation of the incident, and APDerm was alleged to have not reasonably safeguarded the unencrypted thumbdrive that was stolen.

While encryption of ePHI is not required, under the breach notification rules at 45 CFR 164.402, unsecured protected health information is defined as “protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in the guidance issued under section 13402(h)(2) of Public Law 111-5.”   Because the breach notification rules only apply to “unsecured protected health information”, if the ePHI is protected pursuant to the technologies or methodologies approved by the Secretary, the covered entity is not legally required to follow the breach notification rules.

While encryption can mitigate application of the breach notification rules, it is important to note that the security rules also require a covered entity to review and modify security measures “as needed” for reasonable and appropriate protection of electronic protected health information, and to update documentation of such security measures.

The settlement with APDerm serves as a reminder to providers of the need to have written policies and procedures in place, to train staff, and to continually review and update security measures for PHI.

Speak Your Mind