Trouble with images? View as a Web page.

Polsinelli - Health Care

January 2014


Stolen Thumb Drive Sets HIPAA Precedent


Health Care Practice Leaders:


Matthew J. Murer

Practice Area Chair



Jane E. Arnold

Practice Area Vice Chair



Colleen M. Faddick

Practice Area Vice Chair



To view a full list of our Health Care Professionals, click here.


To learn more about our Health Care practice, click here.


View Polsinelli documents on JD Supra  
LinkedIn Twitter Facebook Inside Law Podcast Connect with us on LinkedIn. Connection with us on Twitter. Connect with us on Facebook.



A Massachusetts dermatology practice, Adult & Pediatric Dermatology, P.C. ("APDerm") recently agreed to pay $150,000 to settle potential violations of HIPAA Privacy, Security, and Breach Notification Rules. The settlement was reached after a thumb drive containing unencrypted, electronic protected health information (ePHI) of approximately 2,200 patients was stolen from an APDerm employee's car.

While APDerm properly reported the incident to the Department of Health and Human Services Office for Civil Rights (OCR) in October 2011, OCR's subsequent investigation revealed APDerm: (1) did not conduct an accurate and thorough analysis of the potential risks and vulnerabilities of the confidentiality of ePHI as part of its security management process until October 2012; (2) had no written policies and procedures regarding breach notification in place and did not train employees on breach notification requirements until February 2012; and (3) impermissibly disclosed ePHI of up to 2,200 individuals when it failed to reasonably safeguard the thumb drive.

In addition to the $150,000 payment, the settlement agreement requires APDerm to enter into and comply with a Corrective Action Plan (CAP). The CAP requires APDerm to conduct a comprehensive risk analysis of ePHI security risks among all of the practice's electronic systems within one year. Following the risk analysis, APDerm must develop a risk management plan to address and mitigate any security risks and, if necessary, revise its policies and procedures. APDerm's settlement with OCR for not having proper policies and procedures regarding breach notification requirements is the first of its kind.

What Providers Should Know

  • Covered entities should identify and document all information systems that contain ePHI. Covered entities should be sure to include in their risk analysis any hardware or software that is used to collect, store, process, or transmit ePHI.

  • Covered entities must document the risks and security controls that are in place to protect ePHI.

  • Covered entities should ensure that their breach policies and procedures are updated in accordance with the Omnibus Final Rule, particularly with regard to the four factor risk assessment.

  • Covered entities must train workforce members on breach notification and should retain all training documents for their records.

For More Information

For more information about the contents of this eAlert, please contact:



Atlanta  Chattanooga  Chicago  Dallas  Denver  Edwardsville  Jefferson City  Kansas City  Los Angeles  New York
Overland Park   Phoenix  St. Joseph  St. Louis  Springfield  Topeka  Washington, D.C.  Wilmington



real challenges. real answers.SM  
Serving corporations, institutions, entrepreneurs, and individuals, our attorneys build enduring relationships by providing legal counsel informed by business insight to help clients achieve their objectives. This commitment to understanding our clients' businesses has helped us become the fastest growing law firm in the U.S. for the past five years, according to the leading legal business and law firm publication,
The American Lawyer. With more than 700 attorneys in 18 cities, we work with clients nationally to address the challenges of their roles in health care, financial services, real estate, life sciences and technology, energy and business litigation. The firm can be found online at Polsinelli PC. In California, Polsinelli LLP.


To update your email preferences, please contact Kim Auther at To opt out of these communications, click the unsubscribe link below.

Polsinelli provides this material for informational purposes only. The material provided herein is general and is not intended to be legal advice. The choice of a lawyer is an important decision and should not be based solely upon advertisements.

Copyright © 2014 Polsinelli PC.

Connect with us on LinkedIn. Connection with us on Twitter. Connect with us on Facebook.