Late yesterday, the HHS Office for Civil Rights ("OCR") announced that it had reached a $1.5 million settlement with Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. ("MEEI") to settle potential HIPAA Security violations.  As part of the settlement, MEEI also agreed to a Corrective Action Plan to improve policies and procedures to safeguard the privacy and security of its patients' protected health information.

OCR's investigation followed a breach report submitted by MEEI, as required by the HIPAA Breach Notification Rule, reporting the 2010 theft of an unencrypted personal laptop containing the electronic protected health information of MEEI patients and research subjects while traveling in South Korea.  Here is how MEEI described the situation at the time:

Mass. Eye and Ear has no indication that the information on the stolen computer has actually been accessed or inappropriately used. The computer was password protected and contained a tracking device commonly referred to as “LoJack.” The tracking device contacted LoJack on March 9 when the stolen computer was connected to the internet in South Korea. LoJack was able to monitor the computer’s configuration and on-line use, and determined that:

  • A new operating system was installed on the computer following the theft, and 
  • Software needed to access most of the information about affected Mass. Eye and Ear individuals had not been reinstalled.

On April 9 it was determined that it was unlikely that continued monitoring of the computer would lead to its retrieval, and a command was sent by LoJack to the computer permanently disabling the hard drive and rendering any information, including information about affected Mass. Eye and Ear individuals contained on the hard drive, permanently unreadable.  

These are hardly the actions of an irresponsible party, and yet a $1.5 million settlement resulted.  It seems clear from this settlement that OCR is expecting robust risk assessment (and encryption) for securing ePHI on all mobile devices.

In particular, OCR stated that its investigation indicated that MEEI failed to take necessary steps to comply with certain requirements of the Security Rule, such as conducting a thorough analysis of the risk to the confidentiality of ePHI maintained on portable devices, implementing security measures sufficient to ensure the confidentiality of ePHI that MEEI created, maintained, and transmitted using portable devices, adopting and implementing policies and procedures to restrict access to ePHI to authorized users of portable devices, and adopting and implementing policies and procedures to address security incident identification, reporting, and response. OCR said its investigation indicated that these failures continued over an extended period of time, demonstrating a long-term organizational disregard for the requirements of the Security Rule.

In addition to the $1.5 million settlement, the agreement requires MEEI to adhere to a corrective action plan which includes reviewing, revising and maintaining policies and procedures to ensure compliance with the Security Rule, and retaining an independent monitor who will conduct assessments of MEEI's compliance with the corrective action plan and render semi-annual reports to HHS for a 3-year period.  As such, the long term costs to MEEI will greatly exceed the $1.5 milliion is has to pay OCR.