On December 26, 2013, Adult & Pediatric Dermatology, a dermatology practice located in Massachusetts, agreed to pay a $150,000 fine after it lost an unencrypted thumb drive containing over 2,000 patients’ health records, and for its failure to institute HITECH’s breach notification requirements in response to the loss. According to the notice on the Department of Health and Human Services’ (“HHS”) website, the practice also did not have in place breach notification and training policies and procedures required under HITECH.
Providers must have proper breach notification and training policies and procedures in place in order to identify and mitigate risk to protected health information. Further, providers must make it a priority to secure electronic protected health information by, for example, encrypting hard drives.
Regarding the incident, “An ounce of prevention is worth a pound of cure” said the Director of the HHS Office of Civil Rights.