By Kendra Casey Plank
A Massachusetts hospital has agreed to pay $1.5 million to the federal government to resolve allegations it violated the Health Insurance Portability and Accountability Act Security Rule by failing to properly protect patients' protected health information maintained on portable devices.
The settlement follows an investigation by the Department of Health and Human Services Office for Civil Rights that was sparked by a data breach report from the hospital, according to a Sept. 17 HHS news release.
In 2010, the Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates Inc., collectively referred to as MEEI, in Boston reported to OCR a data breach that occurred because a doctor's laptop computer containing unencrypted patient data was stolen, according to a Sept. 17 statement from the hospital.
The resulting federal investigation indicated that Massachusetts Eye and Ear had “failed to take necessary steps to comply with certain” Security Rule requirements, including ensuring data maintained on portable devices, such as laptop computers, was protected from unauthorized users and that procedures were in place for identifying and reporting data security incidents, according to the HHS release.
“OCR's investigation indicated that these failures continued over an extended period of time, demonstrating a long-term, organizational disregard for the requirements of the Security Rule,” HHS said.
Massachusetts Eye and Ear said the OCR review was “triggered by the hospital's proactive self-reporting” of the data breach incident and that no patients were harmed as a result of the breach.
The hospital said it was “disappointed” by the size of what it characterized as a fine from HHS considering the “lack of patient harm” and the hospital's relatively low annual revenues.
“The rapid advancement of mobile technology has been both a boon and a bane for healthcare providers,” the hospital said in its statement. “In the case of Mass. Eye and Ear, it has tremendous benefit for our doctors and our researchers, enabling them to collaborate and pursue their work while they are on the move. It has also created new challenges for the entire healthcare community in the area of security safeguards.”
In addition to the settlement, Massachusetts Eye and Ear agreed to enter into a corrective action plan that includes a review and revision of its policies for complying with the Security Rule.
Under the resolution agreement, MEEI will pay HHS $500,000 on Oct. 15, and will pay subsequent payments of $500,000 on Oct. 15, 2013, and Oct. 15, 2014.
The resolution agreement is available at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/meei-agreement.html.