Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

USA: OCR announces $300,640 settlement with New England Dermatology

The United States Department of Health and Human Services ('HHS') Office for Civil Rights ('OCR') announced, on 23 August 2022, that it had reached a settlement, within the transaction number 01-21-425743, with New England Dermatology & Laser Center to pay the OCR $300,640 as well as undertake a Corrective Action Plan ('CAP') to settle a potential violation of the Health Insurance Portability and Accountability Act of 1996 ('HIPAA') Security and Privacy Rules (under Part 164 of Title 45 Code of Federal Regulations) ('the Security and Privacy Rules'), following an investigation by the OCR on a security incident occurred within New England Dermatology.

Background to the case

The OCR explained that it had initiated an investigation against New England Dermatology after the latter had filed a breach report to the OCR, stating that empty specimen containers with protected health information ('PHI') on the labels were placed in a garbage bin in its parking lot. The information on the labels included patient names, dates of birth, dates of sample collection, and names of the provider who had taken the specimen.

Findings of the OCR

Based on the investigation carried out, the OCR found that New England Dermatology had failed to maintain appropriate safeguards to protect the privacy of PHI, and had disclosed PHI to unauthorised individuals, in violation of §§164.530(c) and 164.502(a) of the Security and Privacy Rules respectively.

Outcomes

The HHS agreed to accept, and New England Dermatology agreed to pay the HHS the amount of $300,640 as a resolution amount for the settlement. Moreover, New England Dermatology committed to undertake a CAP, which will include, among other things:

  • developing and maintaining appropriate policies and procedures to comply with the federal standards that govern the privacy of individually identifiable health information;
  • designating a privacy official responsible for the implementation of the policies and procedures and a contact person or office who is responsible for receiving complaints; and
  • providing the HHS with training materials for all members of its workforce within 60 days of the approval of its policies and procedures.

You can read the press release here and the resolution agreement and corrective action plan here.

Feedback