$1.5M HIPAA Settlement to be Paid to HHS by Massachusetts Healthcare Provider

by | Dec 19, 2013

The a stolen laptop computer from a healthcare supplier belonging to Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (MEEI) has lad to a settlement of $1.5 million with the HHS Office for Civil Rights for HIPAA breaches.

The U.S. Department of Health and Human Services is enforcing Health Insurance Portability and Accountability Act compliance, and MEEI was found to have violated the Security Rule by not taking adequate precautions to protect the health information of its patients and research subjects.

The laptop stored unencrypted data which could be viewed by the person in possession of the laptop. The data includes patient prescription details, clinical information and other protected data that could potentially be used to carry out medical and identity fraud.

As per the Health Information Technology for Economic and Clinical Health Act (HITECH) Breach Notification Rule, the HHS must be made aware of security breaches involving the exposure of PHI of patients. When MEEI issued the notification it triggered the OCR review.

The OCR completed full compliance review and foundd there were a number of areas where the MEEI had not implemented the necessary privacy and security measures as required by the Security Rule. It also found that the security weaknesses had been allowed to exist for a considerable duration of time.

MEEI had not conducted an in depth risk analysis with regard to portable devices used to store ePHI. It had failed to locate the security risk these devices posed, and had not taken steps to secure the data the devices stored and restrict unauthorized access.

Risk management issues existed and there was a poor monitoring system to identify data breaches. It will need to develop its policies and procedures in this regard and document procedures to allow breach notifications to be issued in a timely manner. The heavy fine reflects the length of time the security problems had been allowed to exist and the number of non-compliance issues discovered. The OCR ruled there to have been organizational disregard of the HIPAA Security Rule at MEEI.

In addition to the heavy sanction a corrective action plan (CAP) must be followed to address all HIPAA compliance issues and a system must be put in place to monitor security continually.

In a statement released by the OCR, Director Leon Rodriguez stated This enforcement action emphasizes that compliance with the HIPAA Privacy and Security Rules must be prioritized by management and implemented throughout an organization, from top to bottom.”

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy