Late yesterday, the HHS Office for Civil Rights ("OCR")
announced that it had reached a $1.5 million settlement with
Massachusetts Eye and Ear Infirmary and Massachusetts Eye and
Ear Associates, Inc. ("MEEI") to settle potential
HIPAA Security violations. As part of the settlement, MEEI also agreed to a Corrective Action Plan to improve policies and
procedures to safeguard the privacy and security of its
patients' protected health information.
Mass. Eye and Ear has no indication that the information on the
stolen computer has actually been accessed or inappropriately used.
The computer was password protected and contained a tracking device
commonly referred to as "LoJack." The tracking device
contacted LoJack on March 9 when the stolen computer was connected
to the internet in South Korea. LoJack was able to monitor the
computer's configuration and on-line use, and determined
A new operating system was installed on the computer following
the theft, and
Software needed to access most of the information about
affected Mass. Eye and Ear individuals had not been
On April 9 it was determined that it was unlikely that continued
monitoring of the computer would lead to its retrieval, and a
command was sent by LoJack to the computer permanently disabling
the hard drive and rendering any information, including information
about affected Mass. Eye and Ear individuals contained on the hard
drive, permanently unreadable.
These are hardly the actions of an irresponsible party, and yet
a $1.5 million settlement resulted. It seems clear from this
settlement that OCR is expecting robust risk assessment (and
encryption) for securing ePHI on all mobile devices.
In particular, OCR stated that its investigation indicated that
MEEI failed to take necessary steps to comply with certain
requirements of the Security Rule, such as conducting a thorough
analysis of the risk to the confidentiality of ePHI maintained on
portable devices, implementing security measures sufficient to
ensure the confidentiality of ePHI that MEEI created, maintained,
and transmitted using portable devices, adopting and implementing
policies and procedures to restrict access to ePHI to authorized
users of portable devices, and adopting and implementing policies
and procedures to address security incident identification,
reporting, and response. OCR said its investigation indicated that
these failures continued over an extended period of time,
demonstrating a long-term organizational disregard for the
requirements of the Security Rule.
In addition to the $1.5 million settlement, the agreement
requires MEEI to adhere to a corrective action plan which includes
reviewing, revising and maintaining policies and procedures to
ensure compliance with the Security Rule, and retaining an
independent monitor who will conduct assessments of MEEI's
compliance with the corrective action plan and render semi-annual
reports to HHS for a 3-year period. As such, the long term
costs to MEEI will greatly exceed the $1.5 milliion is has to
To view Foley Hoag's Security, Privacy and The Law
Blog please click
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
The 2010 theft of an unencrypted laptop containing confidential health care information made front-page news in 2013, not because a huge number of patients were affected, but for the exact opposite reason.
Any company that collects personal data from consumers should take proactive steps to have appropriate legal counsel review its data security practices, as well as its terms of service or privacy practices, to identify any potential problem areas.
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published on its website a series of factsheets designed to educate consumers unfamiliar with their rights under the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy and Security Rules.