The U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) announced a $1.5 million settlement with Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates Inc. (MEEI), which resolves potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.
As required by the Health Information Technology for Economic and Clinical Health Act’s Breach Notification Rule, MEEI reported the theft of an unencrypted laptop that contained electronic protected health information (ePHI) of MEEI patients and research subjects.
OCR conducted an investigation and found that MEEI did not take the necessary steps to comply with certain requirements of the Security Rule, including:
- Analyzing the risk to the confidentiality of ePHI maintained on portable devices;
- Implementing sufficient security measures to ensure the confidentiality of ePHI;
- Implementing policies and procedures to restrict access to authorized users of the portable devices; and
- Implementing policies and procedures to address security incident identification, reporting, and response.
OCR found that MEEI's failure to comply with the requirements occurred over an extended period of time. OCR Director Leon Rodriguez emphasized in a statement that because confidential health information is stored and transported on portable devices such as laptops, tablets and mobile phones, special attention must be paid to safeguarding the information help on those devices.
In addition to the $1.5 million settlement, MEEI must adhere to a corrective action plan to address the security gaps that resulted in the violations. More information about OCR's enforcement activities may be found here.