OCR Settles Breach Notification Case with Massachusetts Provider for $1.5 Million

more+
less-

Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (collectively, MEEI), a specialty hospital and physician group practice located in the greater Boston area, agreed to pay the U.S. Department of Health and Human Services (HHS) $1.5 million to settle alleged HIPAA violations associated with the theft of an unencrypted personal laptop containing the electronic personal health information (e-PHI) of approximately 3,500 MEEI patients and research subjects.  MEEI did not admit any liability or wrongdoing in connection with the settlement.

The laptop belonged to a physician affiliated with MEEI and was stolen in February 2010 while the physician was lecturing in South Korea.  The information on the laptop included demographic and medical information, but was believed not to include any social security numbers, financial account numbers or credit or debit card numbers.  According to MEEI, there was no indication that the information on the stolen laptop had been accessed or used inappropriately.

MEEI submitted a report of the breach to the HHS Office for Civil Rights (OCR) as required by the HIPAA Breach Notification Rule, which resulted in an OCR investigation into the matter.  OCR’s investigation indicated that MEEI failed to take necessary steps to comply with certain HIPAA Security Rule requirements, such as conducting a thorough risk analysis regarding the confidentiality of e-PHI maintained on portable devices, implementing security measures sufficient to ensure the confidentiality of e-PHI created, maintained and transmitted by MEEI using portable devices, and adopting and implementing policies and procedures to address security incident identification, reporting and response.  According to OCR, these failures continued over an extended period of time and demonstrated a long-term disregard for the Security Rule requirements.   

In addition to the $1.5 million fine, MEEI agreed to implement a corrective action plan (CAP), which includes a commitment to perform a risk assessment, review policies and procedures and provide staff education.  MEEI must designate an individual or entity to monitor its compliance with the CAP. 

MEEI expressed disappointment in the size of the fine in a statement on its website, noting that the independent specialty hospital’s annual revenue is small compared to other larger institutions that received smaller fines. 

For a copy of the Resolution Agreement, please click here.  To read the HHS press release, please click here.  For the MEEI press release, which includes a link to the press release announcing the breach, click here

Reporter, Kerrie S. Howze, Atlanta, + 1 404 572 3594, khowze@kslaw.com.

Published In: Administrative Agency Updates, Health Updates, Privacy Updates, Science, Computers & Technology Updates

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© King & Spalding | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »