Button: Make a Payment Button: Newsletter Mailing List

Icon: Healthcare LawHands-On Experience

Providing legal advice

and services since 1977

Healthcare Newsletter

Derm Practice Pays for stolen Thumb Drive - OCR says - Ounce of prevention is worth a pound of cure

January 7, 2014

Its happened.  The Office for Civil Rights has settled its first case with a medical practice for "not having policies and procedures in place to address the breach notification provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of American Recovery and Reinvestment Act of 2009 (ARRA)."  Press Release Available Here.

The Facts:  A dermatology practice with 6 locations in New Hampshire and Massachusetts has agreed to pay the Office for Civil Rights $150,000 for potential violations of HIPAA.  The practice came under investigation after being reported to OCR for an unencrypted thumb drive containing data on 2,200 patients being stolen from a staff member's vehicle.  The thumb drive was not recovered.  

In the press release OCR clearly indicates it was not the theft of the thumb drive creating most of the exposure for the practice, but the practice's failure to adequately conduct the required "accurate and thorough analysis of the potential risks and vulnerabilities"; "the Practice did not fully comply with requirements of the Breach Notification Rule to have in place written policies and procedures and train workforce members." 

OCR Director Leon Rodriguez added - “As we say in health care, an ounce of prevention is worth a pound of cure...That is what a good risk management process is all about – identifying and mitigating the risk before a bad thing happens.  Covered entities of all sizes need to give priority to securing electronic protected health information.”

Looking to start 2014 compliantly?  I recommend you get started with a proper Breach Notification Policy, among other compliance documents you may be missing...  Click here to check out available policies.  

Looking for the KK Healthcare Exchange?  Click Here. 

Looking for HIPAA and compliance forms?  
Click here to visit our website.
Have a question or comment for Jennifer?
Contact Jennifer at or  at (516) 747-6700 x. 302.
Interested in having Jennifer speak at an event or
at a residency/fellowship program?
Contact Jennifer directly at (516) 747-6700 x. 302 or at
Click here to learn about
K&K's Prepaid Legal Audit/Investigation Defense Now!