On December 26th, 2013, HHS-OCR announced a $150,000 dollar settlement with Adult & Pediatric Dermatology, P.C.(APDerm), a Concord, Massachusetts-based private practice for alleged HIPAA violations discovered during an HHS-OCR investigation following a reported breach. As background, on October 7th, 2011,APDerm notified HHS that an unencrypted USB memory drive containing protected health information (PHI) had been stolen from one of its employee’s cars on September 14, 2011. Approximately 2200 individuals’ unsecured PHI was stored on the USB device, and the data included digital images of surgical skin cancer procedures and related reports.

Subsequent to the theft, APDerm properly notified the affected patients, the media, and HHS-OCR. Moreover, according to APDerm, no patient addresses, Social Security numbers, insurance, or other financial information was stored on the USB device. And there was no evidence that the stolen PHI was ever actually used or disclosed. Nevertheless, HSS-OCR was not impressed. In its post-breach investigation report, HHS-OCR noted that aside from the fact that APDerm improperly stored unsecured PHI on a USB drive (that was subsequently stolen),additional HIPAA compliance deficiencies contributed to the cash settlement (and onerous corrective action plan) imposed on APDerm. More specifically:

• APDerm did not conduct an accurate and thorough data privacy and security risk analysis prior to the PHI breach and then waited a year post-breach to conduct a risk analysis; and
• APDerm did not draft written breach notification policies and procedures or appropriately train employees until over a year post-breach.

This and other related settlements are a clear indication that HHS-OCR is closely scrutinizing potential HIPAA breaches and the importance of having experienced counsel guide you through the process, both before and after a suspected breach.