HHS/OCR and Massachusetts Physician Practice Enter into HIPAA Resolution Agreement


The first settlement involving a covered entity’s failure to establish and implement policies and procedures addressing the HIPAA Breach Notification Rule was entered into on December 24, 2013 between the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), and Adult & Pediatric Dermatology, P.C., a physician practice with offices in Massachusetts and New Hampshire (the Practice). Under a Resolution Agreement, the Practice agreed to pay a $150,000 fine and enter into a Corrective Action Plan to resolve potential HIPAA violations.

OCR’s investigation of the Practice’s HIPAA compliance was prompted by the theft of an unencrypted thumb drive from the vehicle of a member of the Practice’s workforce. The thumb drive was never recovered, and the Practice gave notice to affected individuals and the media as required by the HIPAA Breach Notification Rule. However, in the course of its investigation of the Practice’s HIPAA compliance, OCR asserted that not only had the Practice improperly disclosed unencrypted electronic PHI to unauthorized individuals through the theft of the thumb drive, but also that two additional potential HIPAA violations had occurred. The first was that the Practice had not conducted the risk analysis in connection with the security management process required under the Security Rule at 45 CFR Sec. 164.308(a)(1). The second was that the Practice had not fully complied with the administrative requirements of the Breach Notification Rule at 45 CFR Sec. 164.414(a); specifically, it did not have policies and procedures in place for, and did not train the members of its workforce on, the breach notification requirements.

The Corrective Action Plan requires the Practice to conduct a comprehensive risk analysis of the security risks and vulnerabilities of all of the Practice’s electronic media and systems, develop a risk management plan to address and mitigate any security risks and vulnerabilities identified in the risk analysis, and if necessary revise its policies and procedures and train its workforce members on the revised policies and procedures, all under the oversight of OCR.

The HHS press release and the Resolution Agreement can be found on the OCR website at:


This settlement is a timely reminder that giving the required breach notifications does not insulate a covered entity from liability under HIPAA – all elements of HIPAA compliance, including documentation and training, are monitored by OCR.

Developing and implementing a comprehensive HIPAA compliance program is an ounce of prevention that limits substantial exposure, both financial and administrative, to HHS/OCR.

Riddell Williams has significant expertise in developing HIPAA compliance program policies and procedures.  Please contact Barbara Shickich for assistance with HIPAA compliance.

PDF of News Alert.