The U.S. Department of Health and Human Services (HHS) announced a $1.5 million settlement with Massachusetts Eye and Ear Infirmary (“MEEI”). The settlement is a result of an Office of Civil Rights (OCR) investigation after MEEI’s self-reported loss of an unencrypted personal laptop computer that contained electronic Protected Health Information (ePHI).
The HITECH breach notification amendments to HIPAA require covered entities to provide notice to individuals whose unsecured ePHI has been breached. Covered entities must also notify HHS within 60 days of discovery of a large breach impacting 500 or more individuals. Only events that meet HITECH's definition of "breach" must be reported. Generally, a breach for HITECH reporting purposes is an unauthorized use or disclosure of electronic PHI that is not secured and that causes a significant risk of financial or reputational harm.
A laptop of an employee of MEEI that contained unsecured electronic protected health information of patients and research subjects was stolen. The laptop held prescription and personal information.
MEEI reported the breach to HHS, as required by HITECH. OCR investigated the incident, and the investigation showed that MEEI demonstrated a “long-term, organizational disregard” for the HIPAA Security Rule. OCR observed that MEEI did not conduct a risk analysis to evaluate the security and confidentiality of ePHI. Further, OCR noted that MEEI did not adopt and implement measures to ensure that access to ePHI was restricted. Click here to read the HHS press release.
In addition to the $1.5 million settlement, MEEI is required to follow a corrective action plan, which includes reviewing, revising, and maintaining policies and procedures to ensure compliance with the Security Rule. MEEI must subject these policies to an independent monitor who will assess MEEI's HIPAA compliance and send reports to HHS for 3 years.
Employers are encouraged to review their HIPAA Privacy and Security Policies, and ensure that employees are properly trained. In the event of a reportable breach under HITECH, HHS will not look kindly upon an organization that does not regularly assess its HIPAA security and privacy posture. For assistance with HIPAA training, contact us at 800.945.5513 or PR@basusa.com.
