HHS' Office for Civil Rights announced that Massachusetts Eye and Ear Infirmary and its affiliated physician group, Massachusetts Eye and Ear Associates, agreed to pay $1.5 million to settle a HIPAA security-rule violation case.
The $1.5 million settlement with Boston-based Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, collectively known as MEEI, is part of a resolution agreement (PDF)
with the Office for Civil Rights. MEEI's alleged violations of the Health Insurance Portability and Accountability Act's security rule stem from the reported 2010 theft of a laptop computer storing 3,621 patient records, according to HHS.
The Office for Civil Rights alleges that the infirmary and the group not only failed to secure data on the laptop but also failed to comply with several other HIPAA security-rule requirements, including performing “a thorough analysis of the risk to the confidentiality” of individually identifiable patient information stored on the portable device and not “adopting and implementing policies and procedures to restrict access to ePHI to authorized users of portable devices.” The term ePHI refers to electronic protected health information.
“In an age when health information is stored and transported on portable devices such as laptops, tablets and mobile phones, special attention must be paid to safeguarding the information held on these devices,” Office for Civil Rights Director Leon Rodriguez said in a news release
. “This enforcement action emphasizes that compliance with the HIPAA privacy and security rules must be prioritized by management and implemented throughout an organization, from top to bottom.”
The settlement amount is to be paid in three equal installments of $500,000—the first on Oct. 15 of this year and the next two on the same date in 2013 and 2014.
The 17-page resolution agreement also requires the organization “to adhere to a corrective action plan” and permits an independent monitor to make semi-annual assessments of MEEI's compliance with the plan for three years.
The American Recovery and Reinvestment Act of 2009 required the reporting to HHS of breaches affecting 500 or more individuals and the creation of a public accessible website
listing the breaches. There are now 490 such self-reported breach incidents on the list, which is maintained by the Office for Civil Rights. Combined, those breaches exposed the records of more than 21 million individuals, according to the office.
The infirmary is on the list twice. A November 2009 incident
involving 1,076 records stemmed from a police investigation into improper use of credit card information that led to the firing of two infirmary employees.