On September 17, 2012, the U.S. Department of Health & Human Services (HHS) announced that Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates Inc. (collectively, MEEI) had agreed to a $1.5 million settlement on potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. The announced settlement is the fourth such settlement in 2012 related to violations of the HIPAA Security Rule. The Security Rule aims to protect electronic protected health information (ePHI) by requiring certain physical, technical, and administrative safeguards.
The "potential violations" announced by HHS related to a stolen personal laptop of an MEEI employee containing ePHI. The laptop failed to include encryption to protect the ePHI. As required pursuant to the Health Information Technology for Economic and Clinical Health Act (HITECH), the loss of this unencrypted ePHI was self-reported by MEEI to the government. The $1.5 million settlement occurred even though MEEI had self-reported the loss of the unencrypted computer to HHS.
The Office of Civil Rights investigated the self-reported loss and observed that MEEI had demonstrated a "long-term, organizational disregard" for the HIPAA Security Rule.
In addition to the monetary settlement, MEEI agreed to take corrective action to improve its policies and procedures to ensure the privacy and security of its patients' ePHI.
As reported by HHS:
"In an age when health information is stored and transported on portable devices such as laptops, tablets, and mobile phones, special attention must be paid to safeguarding the information held on these devices," said OCR Director Leon Rodriguez. "This enforcement action emphasizes that compliance with the HIPAA Privacy and Security Rules must be prioritized by management and implemented throughout an organization, from top to bottom."
The decision by HHS can be viewed as a warning shot to all companies required to utilize ePHI -- it emphasizes the necessity to create, and most importantly implement, ePHI compliance protocols as a priority to insure electronic data compliance and not simply create and file a piece of paper named "compliance policy." It is imperative that effective compliance protocols be implemented and training be provided to all levels of employees.