On Monday, HHS announced that the Massachusetts Eye and Ear Infirmary and its affiliated physician group Massachusetts Eye and Ear Associates have agreed pay $1.5 million to settle allegations that they violated HIPAA privacy and security rules, Clinical Innovation & Technology reports (Walsh, Clinical Innovation & Technology, 9/17).
OCR Investigation
In February 2010, HHS' Office of Civil Rights began investigating the Boston-based organization after the reported theft of an unencrypted MEEI laptop that contained the protected health information of 3,621 patients and research subjects. The data on the laptop included patients' prescription and clinical information (McCann, Healthcare IT News, 9/17).
The investigation found that MEEI had failed to:
- Conduct a security risk analysis of putting PHI on portable devices;
- Implement security measures that would ensure the confidentiality of data on portable devices;
- Restrict access to PHI to authorized users of portable devices; and
- Implement policies and procedures to address data breach identification, reporting and response.
In a statement, HHS said, "OCR's investigation indicated that these failures continued over an extended period of time, demonstrating a long-term, organizational disregard for the requirements of the [HIPAA] Security Rule" (Goedert, Health Data Management, 9/17).
Details of Settlement
As part of a resolution agreement, MEEI will pay three equal installments of $500,000 on Oct. 15 in 2012, 2013 and 2014 (Clinical Innovation & Technology, 9/17).
The agreement also requires MEEI to implement a corrective action plan and allows an independent monitor to make semi-annual assessments of the group's adherence to the plan for three years (Conn, Modern Healthcare, 9/17).