Healthcare News & Insights

$1.5 million settlement for HIPAA security violations

Hospitals that use portable electronic devices to store and transmit electronic protected health information (ePHI) need to make sure they’ve taken the appropriate steps to protect patients’ information, and that it’s all documented. Otherwise, they could end up facing a $1.5 million HIPAA settlement like this practice.

Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associations Inc., known collectively as MEEI, was investigated by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) after it submitted a breach report. The breach occurred when an unencrypted personal laptop was stolen. The laptop contained ePHI (prescriptions and clinical information) on its patients and research subjects.

The Health Information Technology for Economic and Clinical Health Act (HITECH) Breach Notification Rule requires covered entities to report a breach of unsecured PHI to affected individuals, the HHS OCR Secretary and, in some instances, the media.

Compliance failure

OCR’s investigation found that MEEI didn’t take the necessary steps needed to comply with certain requirements of the Security Rule, such as:

  • conducting a thorough analysis of the risk to the confidentiality of ePHI maintained on portable devices
  • implementing security measures sufficient to ensure the confidentiality of ePHI that MEEI created, maintained and transmitted using portable devices
  • adopting and implementing policies and procedures to restrict access to ePHI to authorized users of portable devices, and
  • adopting and implementing policies and procedures to address security incident identification, reporting and response.

The investigation also indicated these failures continued over an extended period of time, demonstrating the  organizational disregard for the requirements of the Security Rule.

“In an age when health information is stored and transported on portable devices such as laptops, tablets and mobile phones, special attention must be paid to safeguarding the information held on these devices,” said Leon Rodriguez, OCR director, in a HHS press release. “This enforcement action emphasizes that compliance with the HIPAA Privacy and Security Rules must be prioritized by management and implemented throughout an organization, from top to bottom.”

In addition to the $1.5 million settlement, the agreement also requires MEEI to follow a corrective action plan, which includes reviewing, revising and maintaining policies and procedures to ensure compliance with the Security Rule. An independent monitor will conduct assessments of MEEI’s compliance with the plan and provide semi-annual reports to HHS for three years.

For information on protecting your facility, click here.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.