In a case that dramatically illustrates the high cost of not protecting individuals’ personal health information, a Massachusetts medical care provider will pay the federal government $1.5 million to settle potential violations of the HIPAA Privacy and Security Rules.
Massachusetts Eye and Ear Associates, Inc. (MEEI) and the Department of Health and Human Services agreed to the settlement following an HHS investigation into how a MEEI laptop with unencrypted, protected health information, including prescriptions and clinical data, was stolen. MEEI had reported the loss of the computer to HHS as required under HIPAA’s breach of security notification provision.
As part of the agreement, the company also will improve its security policies and retain an independent monitor to report on its compliance efforts.
In announcing the settlement, HHS stated that MEEI had “failed to take necessary steps to comply with requirements of the HIPAA Privacy and Security Rule, such as conducting a thorough analysis of the risk to the confidentiality of electronic protected health information (ePHI) maintained on portable devices, implementing security measures sufficient to ensure the confidentiality of ePHI that MEEI created, maintained, and transmitted using portable devices, adopting and implementing policies and procedures to restrict access to ePHI to authorized users of portable devices, and adopting and implementing policies and procedures to address security incident identification, reporting, and response.”
Commenting on the settlement in its EBIA Weekly e-newsletter, Thomson Reuters stated that, "Plan sponsors and business associates should assume that any breach notification may lead to an investigation and that the investigation will be broader than the original incident, so it's crucial to have privacy and security compliance in order before a potential breach occurs.”
