Adult and Pediatric Dermatology (A&P Dermatology) of Concord, Massachusetts has entered into a resolution agreement with the Department of Health and Human Services (HHS) to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH Act).  On November 9, 2011, A&P Dermatology self-disclosed to HHS that a thumb drive containing the health records of 2,200 patients was stolen from an employee’s vehicle.  As part of the settlement, A&P Dermatology will pay $150,000 and implement a corrective action plan to improve its security management process.  This is the first settlement with a HIPAA covered entity for failure to have policies and procedures in place to address the HITECH Act’s breach notification provisions. 

HHS concluded from its investigation that A&P Dermatology did not have policies and procedures in place to comply with Breach Notification requirements of the HITECH Act until February 7, 2012, and also did not conduct any analyses of potential risk related to electronic protected health information as part of its security management process until October 1, 2012. 

Reporter, Paige Fillingame, Houston, +1 713 615 7632, pfillingame@kslaw.com.