Massachusetts Provider Enters into a $1.5 Million Settlement with HHS for HIPAA Violations

Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates Incorporated (MEEI) settled with the Department of Health and Human Services (HHS) for $1.5 million in response to alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. MEEI notified HHS’ Office for Civil Rights (OCR) that an unencrypted personal laptop containing the electronic protected health information (ePHI) of MEEI patients and research subjects was stolen. Following the notification, OCR found that the organization failed to assess the risk to the confidentiality of ePHI on portable devices. Further, MEEI did not form adequate security measures or policies to identify, report, and respond to security incidents.

According to HHS, MEEI has agreed to comply with a three-year corrective action plan which involves reviewing, revising, and maintaining HIPAA policies and procedures. MEEI’s compliance with the corrective action plan will be monitored and reviewed by an independent monitor.

The HHS press release is available at: http://www.hhs.gov/news/press/2012pres/09/20120917a.html.

Department of Health and Human Services. “Massachusetts Provider Settles HIPAA case for $1.5 Million.” News Release. 17 Sep. 2012.

About the Author

Ms. Shuman assists health care organizations to develop, implement and evaluate their compliance programs and HIPAA privacy programs. Ms. Shuman specializes in our firm’s HIPAA Privacy services, including leading privacy investigations, breach risk assessments, breach notification letters, breach reporting to the Office for Civil Rights and corrective actions plans. She specializes in serving as Interim Privacy Officer for large health care systems, managed care organizations, comprehensive cancer center and health care business associate.