The Office for Civil Rights announced a settlement of potential violations of the HIPAA and Breach Notification Rules on December 27, 2013 with Adult & Pediatric Dermatology, P.C., of Concord, Mass., (AP Derm).


AP Derm settled potential violations with the OCR for a $150,000 payment and a corrective action plan. AP Derm is a private dermatology practice with four locations in Massachusetts and two in New Hampshire. This is the first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act.


The OCR investigated AP Derm after it received a report that an unencrypted thumb drive containing electronic PHI was stolen from a vehicle of one of its staff members.  Upon investigation, it was determined the group did not conduct a risk analysis of the potential vulnerabilities, did not fully comply with the Breach Notification Rule and failed to have written policies and procedures and train its employees.