News-At-A-Glance: First HIPAA Settlement for Not Having Policies and Procedures:

Adult & Pediatric Dermatology, P.C. (APDerm) of Concord, Mass., agreed to a $150,000 settlement with the Department of Health and Human Services Office for Civil Rights (OCR) to resolve potential violations of the Health Insurance Portability and Accountability Act of 1996 in a first-of-its-kind settlement for not having policies and procedures in place. APDerm allegedly did not comply with certain requirements under the Health Information Technology for Economic and Clinical Health Act because it had never conducted an accurate and thorough risk assessment as part of its security management process, did not have written policies and procedures in place, and did not train employees as required by the breach notification rule. OCR received a report that an unencrypted thumb drive was stolen from a staff member’s vehicle, which contained protected health information of approximately 2,200 individuals, resulting in the investigation that revealed the compliance issues. As part of the settlement, APDerm must develop a corrective action plan, develop a risk analysis plan, and provide an implementation report to OCR.