On Sept. 17, 2012, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced that Massachusetts Eye and Ear Infirmary
and Massachusetts Eye and Ear Associates, Inc. (collectively, “MEEI”) had agreed to pay HHS $1.5 million to settle potential violations of the Health
Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. In addition to the settlement, MEEI entered into a Resolution
Agreement with HHS that includes a corrective action plan (CAP) requiring it to review and revise its policies and procedures, implement workforce training
and hire an independent consultant to monitor its compliance with the CAP.
The settlement relates to a 2010 theft of an unencrypted laptop computer that was taken abroad by a physician affiliated with MEEI and that contained the
protected health information (PHI), including prescription and clinical information, of approximately 3,500 MEEI patients and research subjects. MEEI’s original announcement of the laptop theft and data breach noted that the
laptop was equipped with a tracking device that allowed the vendor of the tracking device to send a command to the laptop to permanently disable the hard
drive. However, MEEI was unable to determine whether PHI contained on the laptop had been accessed between the date of the theft and the date of the
disabling of the hard drive. Accordingly, MEEI reported the breach to HHS as required by HIPAA.
According to the Resolution Agreement, the HHS investigation indicated that MEEI failed to demonstrate that it conducted a thorough analysis of the risk to
the confidentiality of electronic protected health information (ePHI) on an ongoing basis as part of its security management process. In particular, MEEI
did not evaluate the potential risks to the confidentiality of ePHI maintained in and transmitted using portable devices, did not implement appropriate
security measures to address such potential risks, did not document the chosen security measures and their rationale and did not maintain reasonable and
appropriate security measures. MEEI failed to adequately adopt or implement policies and procedures (1) to address security incident identification,
reporting and response; (2) governing the removal of portable devices; or (3) to allow only authorized persons or software programs access to ePHI using
portable devices. Finally, MEEI did not require encryption of the laptop or implement an equivalent, reasonable and appropriate alternative measure to
In a press release regarding the incident, HHS noted that
investigation indicated that these failures “continued over an extended period of time, demonstrating a long-term, organizational disregard for the
requirements of the Security Rule.” OCR Director Leon Rodriguez noted, “This enforcement action emphasizes that compliance with the HIPAA Privacy and
Security Rules must be prioritized by management and implemented throughout an organization, from top to bottom.” Despite deciding to accept the
settlement, MEEI took the opportunity to state its belief in a press release that the size of the settlement was excessive and
disproportionate to those of other institutions. MEEI further noted that it had addressed the areas of potential noncompliance identified by OCR between
October of 2009 and June of 2010 and has already implemented many of the elements of the CAP.
As the fourth major enforcement action announced by the OCR in 2012, the MEEI settlement underscores OCR’s ongoing commitment to aggressive enforcement of
the HIPAA Privacy and Security Rules. Accordingly, covered entities and business associates should ensure that they have implemented all the elements of an
effective HIPAA compliance program, including the performance of a HIPAA Security Rule risk assessment and the implementation of an effective risk
McGuireWoods has extensive experience as counsel to a broad range of covered entities and business associates. For more information on this topic, or for
guidance to help ensure compliance, please contact the authors.