A Massachusetts dermatology practice was recently fined $150,000 for its failure to perform a risk analysis, implement written breach notification policies and procedures, and provide breach notification training. The investigation into the practice’s HIPAA procedures stemmed from the theft of an unencrypted thumb drive from an employee’s vehicle, containing approximately 2,200 individuals’ electronic protected health information.
The Office of Civil Rights Director Leon Rodriguez commented that, “As we say in health care, an ounce of prevention is worth a pound of cure. That is what a good risk management process is all about – identifying and mitigating the risk before a bad thing happens. Covered entities of all sizes need to give priority to securing electronic protected health information.”
New HIPAA privacy requirements, as set forth in the HIPAA Omnibus Rule published in early 2013, required compliance by September 23, 2013, but there is still time to make the necessary updates to comply. Please contact Ann Breitinger or any member of our health care law services group for more information regarding the new HIPAA Omnibus Rule or if you require updated and compliant business associate agreements or notice of privacy practices.