A Massachusetts-based dermatology practice recently agreed to pay $150,000 to settle claims that it failed to have sufficient policies and procedures in place to address a breach notification requirement under the HITECH Act.  The investigation was initiated following a report that an unencrypted thumb drive containing electronic protected health information of approximately 2,200 individuals was stolen from a staff member’s vehicle and never recovered.  While the dermatology practiced notified patients of the theft, the OCR investigation showed that the practice had not conducted a sufficient analysis of the risks and vulnerabilities to the confidentiality of its electronic protected health information and that the practice failed to have written policies and procedures training its work force members.

This is the first known settlement for failure to have adequate policies and procedures in place to address the breach notification requirements of HITECH.  It sends a rather clear message to practices that this is an area of concern to the OCR and provides a good reminder for practices to assure that they are in compliance with these HITECH Act requirements.