A million and a half dollars here, a million and a half dollars there, and pretty soon, you're talking real money—even in the healthcare industry.
The Office for Civil Rights at HHS on Monday announced a settlement agreement for $1.5 million with a venerable Massachusetts healthcare organization, Boston-based Massachusetts Eye and Ear Infirmary and its affiliated medical group, Massachusetts Eye and Ear Associates, over alleged HIPAA security-rule violations. They involve the reported theft of an unencrypted laptop bearing the records of 3,621 individual patients back in 2010.
I did a quick check of the OCR's "wall of shame" website and found MEEI was getting whacked on its second trip to the rodeo.
The privacy and security enforcers at the OCR, after a long, long period of quiescence, appear to be stepping up their enforcement efforts and availing themselves of the stiffer penalties that Congress provided in the American Recovery and Reinvestment Act's revisions to the Health Insurance Portability and Accountability Act's privacy and security rules.
And while the OCR is allowing MEEI to pay the fine on the installment plan, even $500,000 a year is a lot of money—a point not lost on MEEI itself.
In a statement, MEEI said that because no one appears to have been harmed, it was "disappointed with the size of the fine, especially since the independent specialty hospital's annual revenue is very small compared to other much larger institutions that have received smaller fines."
But it's hard to know what the government was supposed to do other than to take out its proverbial 2x4 and start whacking to get the healthcare industry's attention.