Failure to take necessary steps to comply with the Health Insurance Portability Act (“HIPAA”) Security Rule has recently led to a Massachusetts based provider’s $1.5 million settlement with the U.S. Department of Health and Human Services Office of Civil Rights (“OCR”). The hefty figure should give pause to both covered entities and their business associates who have not implemented specific policies to prevent and address potential security breaches.
The OCR’s investigation of Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (“MEEI”) followed the provider’s report of the theft of an unencrypted personal laptop containing the protected health information (“PHI”) of over 3,500 patients and research subjects. The electronic PHI included patient prescriptions and clinical information. MEEI’s reporting of the breach was required by the Health Information Technology for Economic and Clinical Health Act (HITECH) Breach Notification Rule.
According to the Resolution Agreement and Corrective Action Plan between MEEI and the Office of Civil Rights, MEEI specifically failed to do the following:
- Evaluate the likelihood and impact of potential risks to the confidentiality of electronic PHI maintained in and transmitted using portable devices.
- Adopt or implement policies and procedures to address security incident information, reporting, and response.
- Adopt or implement policies and procedures to restrict access to authorized users for portable devices that access electronic PHI.
- Adopt or implement policies and procedures governing the receipt and removal of portable devices into, out of, and within the facility.
In addition to paying the $1.5 million fine, MEEI has agreed to have an independent monitor conduct assessments of the organization’s compliance with the corrective action plan for a 3-year period. The settlement agreement and accompanying fine underscore the critical importance of having HIPAA compliance programs in place. In light of rapidly changing technology, covered entities and their business associates need to adopt and implement specific policies addressing the use of mobile or portable devices to store and transmit PHI. Failure to do so might lead to future headaches and substantial fines.
The full press release issued by the Office of Civil Rights can be found here.