Current News & Trends

Physician Practice Caught in OCR Crossfire Following Theft of Unencrypted Flash Drive

To protect yourself from cyber risks as stated below, please contact us to discuss the Medefense/e-MD coverage option.

By: Brad M. Rostolsky & John E. Wyand Reed Smith

The theft of an unencrypted flash drive has led to an agreement by Adult & Pediatric Dermatology, P.C., of Concord, Mass. (APDerm), to pay $150,000 to the Department of Health and Human Services’ Office for Civil Rights (OCR) to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules. APDerm will also be required to implement a corrective action plan to correct deficiencies in its HIPAA compliance program. APDerm is a private practice that delivers dermatology services in four locations in Massachusetts and two in New Hampshire.

This case marks the first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of the American Recovery and Reinvestment Act of 2009. Significantly, it also marks one of the few instances where OCR has taken enforcement action against a smaller covered entity provider.

OCR opened an investigation of APDerm upon receiving a report that an unencrypted flash drive containing the electronic protected health information (ePHI) of approximately 2,200 individuals was stolen from a vehicle of one its staff members. The flash drive was never recovered, and the investigation revealed that APDerm had not conducted “an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI” as part of its security management process. In other words, OCR continues to target the failure of covered entities to conduct a risk assessment under the Security Rule. Furthermore, OCR focused on APDerm’s failure to maintain appropriate policies and procedures, as well as the associated training, pursuant to the requirements of the Breach Notification Rule.

In addition to a $150,000 settlement, OCR imposed a corrective action plan requiring APDerm to develop a risk analysis and risk management plan to address and mitigate any security risks and vulnerabilities, as well as to provide an implementation report to OCR.