Earlier this week, HHS announced that it had reached a settlement agreement with the Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. in the amount of $1.5 million, relating to a breach report submitted by MEEI. The report, as required by the HIPAA Breach Notification Rule, was made after the theft of an unencrypted personal laptop containing electronic protected health information (ePHI) of patients and research subjects. In particular, the stolen laptop contained patient prescriptions and other clinical information. OCR’s investigation revealed that MEEI failed to take appropriate precautions, such as conducting a thorough risk analysis with regard to the confidentiality of ePHI on portable devices. In addition to the financial settlement, MEEI agreed to adhere to a corrective action plan including reviewing, revising and maintaining policies and procedures to comply with the HIPAA Security Rule, and to retain an independent monitor to conduct assessments of MEEI’s compliance with the corrective action plan.
This is yet another example of OCR’s increasing focus on enforcement of the HIPAA security and privacy rules. Additionally, it emphasizes the importance of evaluating your organization’s policies and procedures, including a risk assessment, especially as it relates to information stored on portable electronic devices.
A copy of the full HHS Resolution Agreement relating to MEEI can be found at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/MEEI-agreement.html.