Published on:

HHS Office of Civil Rights Secures $1.5 million HIPAA Settlement

The U.S. Department of Health and Human Services (HHS) recently agreed to a $1.5 million settlement with the Massachusetts Eye and Ear Infirmary for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.

The HIPAA Security Rule protects electronic health information by requiring HIPAA-covered entities to use various safeguards to ensure that electronic protected health information remains private and secure. The Privacy Rule, by contrast, grants individuals rights over protected health information, and sets rules for who may view that information.

MEEI submitted a HIPAA breach report, as required by HIPAA’s Breach Notification Rule, following the theft of an unencrypted personal laptop. The laptop contained electronic protected health information (ePHI), including patient prescriptions and clinical information.

The HHS Office for Civil Rights (OCR) , which enforces HIPAA Privacy and Security Rules, determined that the provider failed to take necessary steps to comply with the Security rule, including:

  • Conducting a thorough analysis of the risk to the confidentiality of ePHI maintained on portable devices;
  • Implementing security measures sufficient to ensure the confidentiality of ePHI that MEEI created, maintained and transmitted using portable devices;
  • Adopting and implementing policies and procedures to restrict access to ePHI to authorized users of portable devices; and
  • Adopting and implementing policies and procedures to address security incident identification, reporting, and response.

The OCR investigation found that these failures existed over an extended period of time, demonstrating organizational disregard for the requirements of the Security Rule. Accordingly, MEEI must also follow a corrective action plan to revise and maintain policies to ensure compliance. The corrective action plan includes an independent monitor to assess MEEI’s compliance with the settlement and render reports to HHS for 3-years.

HIPAA Privacy and Security Rules, together with the HIPAA Breach Notification Rule, require health care providers and suppliers to proactively manage the security of their protected health information. MEEI’s settlement highlights the importance of compliance programs to avoid, and promptly report, potential HIPAA violations.

If you have questions about HIPAA compliance, or need help creating and implementing a compliance plan, please contact an experienced healthcare attorney at Wachler & Associates, at 248-544-0888.