Settlement for HIPAA Violations
The Office for Civil Rights announced a settlement of potential violations of the HIPAA and Breach Notification Rules on December 27, 2013 with Adult & Pediatric Dermatology, P.C., of Concord, Mass., (AP Derm). Most important this indicates how lack of HIPAA policies is expensive.
As a consequence, AP Derm settled potential violations with the OCR for a $150,000 payment and a corrective action plan. In brief, AP Derm is a private dermatology practice with four locations in Massachusetts and two in New Hampshire.
Lack of Policies
This is the first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act. In addition, the covered entity did not conduct an accurate and thorough analysis of the potential risks and vulnerabilities.
Lack of Risk Analysis
The OCR investigated AP Derm after it received a report of a stolen unencrypted thumb drive from a vehicle of one of its staff members containing electronic PHI. Afterward, upon investigation, it was determined the group did not conduct a risk analysis of the potential vulnerabilities, did not fully comply with the Breach Notification Rule and failed to have written policies and procedures and train its employees.
Penalties for Violations
Most importantly, if you violate HIPAA the severity of the penalty may vary. Furthermore, the OCR prefers to resolve HIPAA violations using non-punitive measures, such as with voluntary compliance or issuing technical guidance to help covered entities address areas of non-compliance. However, if the violations are serious financial penalties may be appropriate.