On Sept. 17, 2012, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced that Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (collectively, "MEEI") had agreed to pay HHS $1.5 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. In addition to the settlement, MEEI entered into a Resolution Agreement with HHS that includes a corrective action plan (CAP) requiring it to review and revise its policies and procedures, implement workforce training and hire an independent consultant to monitor its compliance with the CAP.
The settlement relates to a 2010 theft of an unencrypted laptop computer that was taken abroad by a physician affiliated with MEEI and that contained the protected health information (PHI), including prescription and clinical information, of approximately 3,500 MEEI patients and research subjects. MEEI?s original announcement of the laptop theft and data breach noted that the laptop was equipped with a tracking device that allowed the vendor of the tracking device to send a command to the laptop to permanently disable the hard drive. However, MEEI was unable to determine whether PHI contained on the laptop had been accessed between the date of the theft and the date of the disabling of the hard drive. Accordingly, MEEI reported the breach to HHS as required by HIPAA.
According to the Resolution Agreement, the HHS investigation indicated that MEEI failed to demonstrate that it conducted a thorough analysis of the risk to the confidentiality of electronic protected health information (ePHI) on an ongoing basis as part of its security management process. In particular, MEEI did not evaluate the potential risks to the confidentiality of ePHI maintained in and transmitted using portable devices, did not implement appropriate security measures to address such potential risks, did not document the chosen security measures and their rationale and did not maintain reasonable and appropriate security measures. MEEI failed to adequately adopt or implement policies and procedures (1) to address security incident identification, reporting and response; (2) governing the removal of portable devices; or (3) to allow only authorized persons or software programs access to ePHI using portable devices. Finally, MEEI did not require encryption of the laptop or implement an equivalent, reasonable and appropriate alternative measure to encryption.
In a press release regarding the incident, HHS noted that investigation indicated that these failures ?continued over an extended period of time, demonstrating a long-term, organizational disregard for the requirements of the Security Rule.? OCR Director Leon Rodriguez noted, ?This enforcement action emphasizes that compliance with the HIPAA Privacy and Security Rules must be prioritized by management and implemented throughout an organization, from top to bottom.? Despite deciding to accept the settlement, MEEI took the opportunity to state its belief in a press release that the size of the settlement was excessive and disproportionate to those of other institutions. MEEI further noted that it had addressed the areas of potential noncompliance identified by OCR between October of 2009 and June of 2010 and has already implemented many of the elements of the CAP.
As the fourth major enforcement action announced by the OCR in 2012, the MEEI settlement underscores OCR?s ongoing commitment to aggressive enforcement of the HIPAA Privacy and Security Rules. Accordingly, covered entities and business associates should ensure that they have implemented all the elements of an effective HIPAA compliance program, including the performance of a HIPAA Security Rule risk assessment and the implementation of an effective risk management program.