On September 17, 2012, the Department of Health and Human Services (“HHS”) announced a $1.5 million settlement with the Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates Inc. (“MEEI”) for potential violations of the HIPAA Security Rule. In connection with the announcement, the HHS Office for Civil Rights (“OCR”) Director Leon Rodriguez stated that organizations should pay special attention to safeguarding information “stored and transported on portable devices such as laptops, tablets, and mobile phones” and that “compliance with the HIPAA Privacy and Security Rules must be prioritized by management and implemented throughout an organization, from top to bottom.”
The settlement relates to the theft of an unencrypted laptop containing electronic protected health information (“ePHI”) of MEEI patients and research subjects. Following the submission of a breach report to OCR as required by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, OCR began an investigation. As stated in the resolution agreement, OCR determined that MEEI had not complied with the requirements of the Security Rule, including by failing to (1) analyze the risks to e-PHI on an ongoing basis as part of its security management process, (2) implement security measures to ensure that the confidentiality of ePHI on portable devices was at a reasonable and appropriate level, (3) adopt security incident reporting and response procedures, (4) implement policies and procedures to restrict access to ePHI on portable devices to authorized users, (5) address the receipt and removal of portable devices from its facilities and (6) adopt technical measures to restrict access to ePHI on portable devices.
Pursuant to the resolution agreement, MEEI has agreed to pay $1.5 million to HHS in three annual installments of $500,000 to settle the potential violations. In addition, the Corrective Action Plan attached to the resolution agreement requires MEEI to develop HIPAA policies and procedures that focus on the risks and vulnerabilities of portable devices containing ePHI. Finally, MEEI is required to train its workforce on the new policies and procedures, conduct a risk analysis and designate a monitor who will report to OCR on MEEI’s compliance with the Corrective Action Plan.