The OCR had to open an investigation on Adult & Pediatric Dermatology after receiving information that a thumb drive containing protected health information of about 2,200 individuals was stolen from one of the practice’s staff member’s cars. The individuals whose information was stolen were notified about the missing thumb drive within 30 days.
The Dermatology practice of Concord, Mass. has settled the reported violations against them of the HIPAA privacy policies and security rules with the Department of Health and Human Services.
The agreement they settled on was to pay $150,000 and to come up with a corrective plan to correct the violations that were filed against them. If the practice fails to keep up with the corrective action plan it will be in breach of the final agreement and HHS will not be subject to the terms and conditions they set forth in the agreement, which was that the HHS will release the practice from any violations that have been reported against them under the security, privacy, and breach notification rules.
The agreement will not go into effect until all parties sign. This agreement will not only be on the covered entity now but its successors, heirs, transferees, and assigns. It was a serious act that happened and the HHS needs to make sure the practice does everything they can to stick to the corrective action plan to make sure something like that doesn’t happen again. The thumb drive held information for over 2,200 people so it was not a little mistake that was made. The practice is now doing everything it can to make sure they fix the problem, which was the point of coming to this agreement.
The HHS member signing the agreement and the covered entity signing the agreement both warrant that he is authorized to execute the agreement. The agreement has no restrictions on where it can be published.