By Kendra Casey Plank
A Massachusetts hospital has agreed to pay $1.5 million to the federal government to resolve allegations it violated the Health Insurance Portability and Accountability Act Security Rule by failing to properly protect patients' protected health information maintained on portable devices.
The settlement follows an investigation by the Department of Health and Human Services Office for Civil Rights that was sparked by a data breach report from the hospital, according to a Sept. 17 HHS news release.
In 2010, the Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates Inc., collectively referred to as MEEI, in Boston reported to OCR a data breach that occurred because a doctor's laptop computer containing unencrypted patient data was stolen, according to a Sept. 17 statement from the hospital.
The hospital said it was “disappointed” by the size of what it characterized as a fine from HHS considering the “lack of patient harm” and the hospital's relatively low annual revenues.
Massachusetts Eye and Ear said the OCR review was “triggered by the hospital's proactive self-reporting” of the data breach incident and that no patients were harmed as a result of the breach.
“The rapid advancement of mobile technology has been both a boon and a bane for healthcare providers,” the hospital said in its statement. “In the case of Mass. Eye and Ear, it has tremendous benefit for our doctors and our researchers, enabling them to collaborate and pursue their work while they are on the move. It has also created new challenges for the entire healthcare community in the area of security safeguards.”
In addition to the settlement, Massachusetts Eye and Ear agreed to enter into a corrective action plan that includes a review and revision of its policies for complying with the Security Rule.
Under the resolution agreement, MEEI will pay HHS $500,000 on Oct. 15, and will pay subsequent payments of $500,000 on Oct. 15, 2013, and Oct. 15, 2014.
The resolution agreement is available athttp://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/meei-agreement.html.
To view additional stories from Bloomberg Law® request a demo now