Stolen laptop leads to $1.5 million HIPAA settlement
Failure to take necessary steps to comply with the Health Insurance Portability Act (“HIPAA”) Security Rule has recently led to a Massachusetts based provider’s $1.5 million settlement with the U.S. Department of Health and Human Services Office of Civil Rights (“OCR”). The hefty figure should give pause to both covered entities and their business associates who have not implemented specific policies to prevent and address potential security breaches.
The OCR’s investigation of Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (“MEEI”) followed the provider’s report of the theft of an unencrypted personal laptop containing the protected health information (“PHI”) of over 3,500 patients and research subjects. The electronic PHI included patient prescriptions and clinical information. MEEI’s reporting of the breach was required by the Health Information Technology for Economic and Clinical Health Act (HITECH) Breach Notification Rule.
According to the Resolution Agreement and Corrective Action Plan between MEEI and the Office of Civil Rights, MEEI specifically failed to do the following:
- Evaluate the likelihood and impact of potential risks to the confidentiality of electronic PHI maintained in and transmitted using portable devices.
- Adopt or implement policies and procedures to address security incident information, reporting, and response.
- Adopt or implement policies and procedures to restrict access to authorized users for portable devices that access electronic PHI.
- Adopt or implement policies and procedures governing the receipt and removal of portable devices into, out of, and within the facility.
In addition to paying the $1.5 million fine, MEEI has agreed to have an independent monitor conduct assessments of the organization’s compliance with the corrective action plan for a 3-year period. The settlement agreement and accompanying fine underscore the critical importance of having HIPAA compliance programs in place. In light of rapidly changing technology, covered entities and their business associates need to adopt and implement specific policies addressing the use of mobile or portable devices to store and transmit PHI. Failure to do so might lead to future headaches and substantial fines.
The full press release issued by the Office of Civil Rights can be found here.
Contact
Before sending, please note:
Information on www.stites.com is for general use and is not legal advice. The mailing of this email is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Anything that you send to anyone at our Firm will not be confidential or privileged unless we have agreed to represent you. If you send this email, you confirm that you have read and understand this notice.
Related Capabilities