Massachusetts Provider Settles HIPAA Case After InvestigationImage Banner

Massachusetts Provider Settles HIPAA Case After Investigation

You are here

Massachusetts Provider Settles HIPAA Case After Investigation

Wednesday, September 19, 2012

The U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) announced a $1.5 million settlement with Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates Inc. (MEEI), which resolves potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.

As required by the Health Information Technology for Economic and Clinical Health Act’s Breach Notification Rule, MEEI reported the theft of an unencrypted laptop that contained electronic protected health information (ePHI) of MEEI patients and research subjects.

OCR conducted an investigation and found that MEEI did not take the necessary steps to comply with certain requirements of the Security Rule, including:

  • Analyzing the risk to the confidentiality of ePHI maintained on portable devices;
  • Implementing sufficient security measures to ensure the confidentiality of ePHI;
  • Implementing policies and procedures to restrict access to authorized users of the portable devices; and
  • Implementing policies and procedures to address security incident identification, reporting, and response.

OCR found that MEEI's failure to comply with the requirements occurred over an extended period of time. OCR Director Leon Rodriguez emphasized in a statement that because confidential health information is stored and transported on portable devices such as laptops, tablets and mobile phones, special attention must be paid to safeguarding the information help on those devices.

In addition to the $1.5 million settlement, MEEI must adhere to a corrective action plan to address the security gaps that resulted in the violations. More information about OCR's enforcement activities may be found here.