Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (collectively, MEEI), a specialty hospital and physician group practice located in the greater Boston area, agreed to pay the U.S. Department of Health and Human Services (HHS) $1.5 million to settle alleged HIPAA violations associated with the theft of an unencrypted personal laptop containing the electronic personal health information (e-PHI) of approximately 3,500 MEEI patients and research subjects. MEEI did not admit any liability or wrongdoing in connection with the settlement.

The laptop belonged to a physician affiliated with MEEI and was stolen in February 2010 while the physician was lecturing in South Korea. The information on the laptop included demographic and medical information, but was believed not to include any social security numbers, financial account numbers or credit or debit card numbers. According to MEEI, there was no indication that the information on the stolen laptop had been accessed or used inappropriately.

MEEI submitted a report of the breach to the HHS Office for Civil Rights (OCR) as required by the HIPAA Breach Notification Rule, which resulted in an OCR investigation into the matter. OCR’s investigation indicated that MEEI failed to take necessary steps to comply with certain HIPAA Security Rule requirements, such as conducting a thorough risk analysis regarding the confidentiality of e-PHI maintained on portable devices, implementing security measures sufficient to ensure the confidentiality of e-PHI created, maintained and transmitted by MEEI using portable devices, and adopting and implementing policies and procedures to address security incident identification, reporting and response. According to OCR, these failures continued over an extended period of time and demonstrated a long-term disregard for the Security Rule requirements.

In addition to the $1.5 million fine, MEEI agreed to implement a corrective action plan (CAP), which includes a commitment to perform a risk assessment, review policies and procedures and provide staff education. MEEI must designate an individual or entity to monitor its compliance with the CAP.

MEEI expressed disappointment in the size of the fine in a statement on its website, noting that the independent specialty hospital’s annual revenue is small compared to other larger institutions that received smaller fines.

For a copy of the Resolution Agreement, please click here. To read the HHS press release, please click here. For the MEEI press release, which includes a link to the press release announcing the breach, click here.