Eye and Ear Practice Fined $1.5 Million for Security Rule Violations
The HHS Office for Civil Rights has fined Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, collectively known as MEEI, $1.5 million and imposed a corrective action plan following the theft of an unencrypted laptop in February 2010.
The organizations have signed a resolution agreement detailing “potential” violations of the HIPAA security rule and components of the corrective action plan. MEEI does not admit guilt in the agreement. The laptop contained prescriptions and other clinical information on 3,621 patients and research subjects.
“OCR’s investigation indicated that MEEI failed to take necessary steps to comply with certain requirements of the Security Rule, such as conducting a thorough analysis of the risk to the confidentiality of ePHI maintained on portable devices, implementing security measures sufficient to ensure the confidentiality of ePHI that MEEI created, maintained, and transmitted using portable devices, adopting and implementing policies and procedures to restrict access to ePHI to authorized users of portable devices, and adopting and implementing policies and procedures to address security incident identification, reporting, and response,” according to an agency statement. “OCR’s investigation indicated that these failures continued over an extended period of time, demonstrating a long-term, organizational disregard for the requirements of the Security Rule.”
MEEI had experienced an earlier breach in November 2009 when two employees in separate units of the organization were found to have misused the credit card information of 1,076 patients. That breach is not directly addressed in the OCR statement or in the resolution agreement.
Among other requirements, the corrective plan includes implementation of “mechanisms” to encrypt and decrypt portable devices. Under the resolution agreement, MEEI will pay $500,000 on Oct. 15 in 2012, 2013 and 2014. The resolution agreement and corrective action plan is available here.
Other organizations that have paid major fines to OCR following major breaches include the Alaska Department of Health and Social Services ($1.7 million), Blue Cross and Blue Shield of Tennessee ($1.5 million), UCLA Health System ($865,000), Massachusetts General Hospital ($1 million), Cignet Health ($4.3 million), Rite Aid ($1 million), CVS/pharmacy ($2.2 million) Phoenix Cardiac Surgery ($100,000) and Providence Health & Services ($100,000).