Just eighteen months after the first major HIPAA enforcement actions by the U.S. DHHS Office for Civil Rights (OCR), the OCR announced that Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (MEEI) had agreed to pay HHS $1.5 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. In addition to the settlement, MEEI entered into a Resolution Agreement with HHS that includes a corrective action plan (CAP) requiring it to review and revise its policies and procedures, implement workforce training and hire an independent consultant to monitor its compliance with the CAP.
The settlement relates to a 2010 theft of an unencrypted laptop computer that was taken abroad by a physician affiliated with MEEI and that contained the protected health information (PHI), including prescription and clinical information, of approximately 3,500 MEEI patients and research subjects. In a recent publication ,our colleagues Kim Kannensohn, Nathan Kottkamp and Amanda Enyeart describe additional circumstances of the breach and settlement.
It is now more critical than ever for covered entities and business associates, as well as healthcare investors examining a potential investment opportunity, to review the companies' HIPAA compliance efforts. Diligence on HIPAA compliance for the vast majority of companies involved in the US healthcare system is a vital element when considering investment. Reviewing the organization’s plan documents, training programs, security systems and preparedness for a HIPAA audit are among the most important elements to evaluate, and investors would be well served to include such review in their diligence process.