On September 17, 2012, Massachusetts Eye and Ear Infirmary, a Boston area hospital, has agreed to pay $1.5 million to the U.S. Department of Health and Human Services to settle allegations of violations of the HIPAA Security Rule. The hospital was investigated by the Office of Civil Rights (OCR) after the hospital submitted a breach report in April of 2010 notifying the OCR of the theft of a personal laptop containing unencrypted electronic protected health information (PHI) of hospital patients and research subjects.

OCR’s subsequent investigation discovered that the hospital failed to comply with various requirements of the HIPAA Security Rule when it failed to:

• Conduct a risk analysis of the confidentiality of PHI maintained on portable devices;

• Implement security measures to protect the confidentiality of the electronic PHI hospital created, maintained and transmitted via portable devices;

• Secure PHI contained in portable devices via encryption or to document the rationale for not using encryption;

• Adopt policies that restricted access to electronic PHI to only authorized users of the portable devices; and

• Adopt policies that addressed the proper way to identify, report and respond to security incidents like a laptop theft.

OCR’s investigation concluded that these failures had occurred over an extended period of time, demonstrating a long-term disregard for Security Rule requirements. In addition to the $1.5 million settlement, the hospital agreed to follow a corrective action plan that calls for the review, revision and maintenance of its policies to ensure future compliance with the Security Rule. The hospital also agreed to retain an independent monitor who will conduct assessments of the hospital’s compliance with the corrective action plan and render semi-annual reports to the OCR for the next three years.

This latest OCR enforcement action demonstrates that the agency is continuing to step up its enforcement efforts and can impose significant financial penalties for non-compliance with HIPAA. A copy of the settlement agreement and corrective action plan can be found at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/meei-agreementpdf. pdf