Massachusetts Healthcare Provider to pay $1.5M HIPAA Settlement to HHS
The theft of a laptop computer from a healthcare center belonging to Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (MEEI) has resulted in a settlement of $1.5 million with the HHS Office for Civil Rights for HIPAA violations.
The U.S. Department of Health and Human Services is enforcing Health Insurance Portability and Accountability Act compliance, and MEEI was deemed to have violated the Security Rule by failing to take adequate precautions to protect the health information of its patients and research subjects.
The laptop contained unencrypted data which could be accessed by the person in possession of the laptop. The data includes patient prescription details, clinical information and other protected data that could potentially be used to commit medical and identity fraud.
Under the Health Information Technology for Economic and Clinical Health Act (HITECH) Breach Notification Rule, the HHS must be notified of security breaches involving the exposure of PHI of patients. When MEEI issued the notification it triggered the OCR investigation.
The OCR conducted a full compliance review and determined there were a number of areas where the MEEI had failed to implement the necessary privacy and security controls as required by the Security Rule. It also discovered that the security issues had been allowed to exist for a considerable period of time.
MEEI had not conducted a thorough risk analysis with regard to portable devices used to store ePHI. It had failed to identify the security risk these devices posed, and had not taken steps to secure the data the devices contained and restrict unauthorized access.
Risk management issues existed and there was an inadequate monitoring system to identify data breaches. It will be required to develop its policies and procedures in this regard and document procedures to enable breach notifications to be issued in a timely manner. The heavy fine reflects the length of time the security issues had been allowed to exist and the number of non-compliance issues discovered. The OCR determined there to have been organizational disregard of the HIPAA Security Rule at MEEI.
In addition to the heavy fine, a corrective action plan (CAP) must be followed to address all HIPAA compliance issues and a system must be implemented to monitor security on an ongoing basis.
In a statement issued by the OCR, Director Leon Rodriguez said “This enforcement action emphasizes that compliance with the HIPAA Privacy and Security Rules must be prioritized by management and implemented throughout an organization, from top to bottom.”