Concord, Mass.-based Adult & Pediatric Dermatology, P.C. last week agreed to pay a settlement of $150,000 with the U.S. Department of Health & Human Services Office for Civil Rights in lieu of privacy violations stemming from a September 2011 thumb drive theft. According to HHS, the case marks the first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of the HITECH Act.
The thumb drive, which was stolen from an employee's vehicle, contained electronic protected health information for 2,200 individuals, according to HHS.
"As we say in healthcare, an ounce of prevention is worth a pound of cure," OCR Director Leon Rodriguez said in a statement. "That is what a good risk management process is all about--identifying and mitigating the risk before a bad thing happens. Covered entities of all sizes need to give priority to securing electronic protected health information." Announcement