$150K Settlement for Massachusetts Dermatology Clinic HIPAA Breach

by | Dec 29, 2011

The Office for Civil Rights has released a statement confirming that a settlement has been agreed with Adult & Pediatric Dermatology, P.C., of Concord, Massachusetts after the accidental disclosure of almost 2,200 patients after a memory stick was taken from the car of one of the center’s staff members. The stolen thumb drive stored patient data and was not encrypted, so anyone in possession of the  device has complete access to the data it contained. The missing thumb drive has so far not been found.

Although the HIPAA violation involved a comparatively small number of patients, the OCR has fined the dermatology clinic $150,000 for breaching HIPAA regulations and failing to guarantee that the PHI of its patients was properly safe. The OCR has also mandated the clinic to carry out a full risk analysis to identify any remaining privacy and security weaknesses and to develop a risk management plan to deal with any future security violations.

The investigation carried out by the OCR emphasized a number of HIPAA privacy and security issues which should have been identified and addressed had a thorough risk analysis been completed. The OCR also found that the clinic had failed to implement the changes required under the HITCH Act (2009). While breach notification rules were adhered to, the legislation also requires a HIPAA covered body to document data security procedures and policies as well as provide employee training on data security and privacy. This is the first time that the OCR has issued financial penalties for policy and procedural failures regarding HIPAA breach notification regulations.

This case has shown that it is not only data breaches that can lead to fines being issued, but also a failure to document policies and procedures. It is not enough for a healthcare organization to follow only a selection of HIPAA security rules such as issuing a breach notification and all HIPAA policies must be strictly followed. The OCR is of the belief that a failure to adhere to all parts of HIPAA is negligence, and when there is negligence financial penalties are bound to follow.

The OCR examines all HIPAA breaches and if it is discovered that the security breach arose from a failure to adhere to HIPAA guidelines, penalties of up to $50,000 can be applied for each violation up to a total of $1.5 million.

This settlement should alert other healthcare organizations alerting them to the importance of completing a full risk analysis of all IT systems, which should include every device or piece of equipment that comes into contact with electronic protected health information. Mobile devices such as laptop computers, tablets, Smartphones must be secured, and any data recorded on a hard drive, thumb drive or other digital storage medium must have ePHI data encrypted to stop it being access if it device is lost or stolen.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy