$1.5M HIPAA Settlement to be Paid to HHS by Massachusetts Healthcare Provider

by Ryan Coyne | Dec 19, 2013

The a stolen laptop computer from a healthcare supplier belonging to Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (MEEI) has lad to a settlement of $1.5 million with the HHS Office for Civil Rights for HIPAA breaches.

The U.S. Department of Health and Human Services is enforcing Health Insurance Portability and Accountability Act compliance, and MEEI was found to have violated the Security Rule by not taking adequate precautions to protect the health information of its patients and research subjects.

The laptop stored unencrypted data which could be viewed by the person in possession of the laptop. The data includes patient prescription details, clinical information and other protected data that could potentially be used to carry out medical and identity fraud.

As per the Health Information Technology for Economic and Clinical Health Act (HITECH) Breach Notification Rule, the HHS must be made aware of security breaches involving the exposure of PHI of patients. When MEEI issued the notification it triggered the OCR review.

The OCR completed full compliance review and foundd there were a number of areas where the MEEI had not implemented the necessary privacy and security measures as required by the Security Rule. It also found that the security weaknesses had been allowed to exist for a considerable duration of time.

MEEI had not conducted an in depth risk analysis with regard to portable devices used to store ePHI. It had failed to locate the security risk these devices posed, and had not taken steps to secure the data the devices stored and restrict unauthorized access.

Risk management issues existed and there was a poor monitoring system to identify data breaches. It will need to develop its policies and procedures in this regard and document procedures to allow breach notifications to be issued in a timely manner. The heavy fine reflects the length of time the security problems had been allowed to exist and the number of non-compliance issues discovered. The OCR ruled there to have been organizational disregard of the HIPAA Security Rule at MEEI.

In addition to the heavy sanction a corrective action plan (CAP) must be followed to address all HIPAA compliance issues and a system must be put in place to monitor security continually.

In a statement released by the OCR, Director Leon Rodriguez stated “This enforcement action emphasizes that compliance with the HIPAA Privacy and Security Rules must be prioritized by management and implemented throughout an organization, from top to bottom.”

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

COMPREHENSIVE HIPAA TRAINING

Used in 1000+ Healthcare Organizations and 100+ Universities

Ryan Coyne

Ryan Coyne is a results-driven leader in the healthcare compliance industry, specializing in regulatory compliance, compliance training, and assisting healthcare organizations and business associates in achieving and maintaining compliance. With a deep knowledge of healthcare regulations and a keen understanding of the challenges faced by the industry, Ryan has developed a reputation as a trusted advisor and advocate for ethical and compliant practices in healthcare. Ryan has successfully advised and guided numerous healthcare organizations, business associates, and healthcare professionals on achieving and maintaining compliance with regulatory training requirements. Ryan's professional focus is using his in-depth expertise and leading a world class team of subject matter experts at ComplianceJunction in regulatory compliance to help organisations navigate the complex landscape of ensuring staff adhere to healthcare regulations. You can connect with Ryan via LinkedIn and follow on Twitter