$1.5M HIPAA Settlement to be Paid to HHS by Massachusetts Healthcare Provider

The a stolen laptop computer from a healthcare supplier belonging to Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (MEEI) has lad to a settlement of $1.5 million with the HHS Office for Civil Rights for HIPAA breaches.

The U.S. Department of Health and Human Services is enforcing Health Insurance Portability and Accountability Act compliance, and MEEI was found to have violated the Security Rule by not taking adequate precautions to protect the health information of its patients and research subjects.

The laptop stored unencrypted data which could be viewed by the person in possession of the laptop. The data includes patient prescription details, clinical information and other protected data that could potentially be used to carry out medical and identity fraud.

As per the Health Information Technology for Economic and Clinical Health Act (HITECH) Breach Notification Rule, the HHS must be made aware of security breaches involving the exposure of PHI of patients. When MEEI issued the notification it triggered the OCR review.

The OCR completed full compliance review and foundd there were a number of areas where the MEEI had not implemented the necessary privacy and security measures as required by the Security Rule. It also found that the security weaknesses had been allowed to exist for a considerable duration of time.

MEEI had not conducted an in depth risk analysis with regard to portable devices used to store ePHI. It had failed to locate the security risk these devices posed, and had not taken steps to secure the data the devices stored and restrict unauthorized access.

Risk management issues existed and there was a poor monitoring system to identify data breaches. It will need to develop its policies and procedures in this regard and document procedures to allow breach notifications to be issued in a timely manner. The heavy fine reflects the length of time the security problems had been allowed to exist and the number of non-compliance issues discovered. The OCR ruled there to have been organizational disregard of the HIPAA Security Rule at MEEI.

In addition to the heavy sanction a corrective action plan (CAP) must be followed to address all HIPAA compliance issues and a system must be put in place to monitor security continually.

In a statement released by the OCR, Director Leon Rodriguez stated This enforcement action emphasizes that compliance with the HIPAA Privacy and Security Rules must be prioritized by management and implemented throughout an organization, from top to bottom.”