The Office for Civil Rights appears to be sending a stern and serious message to practices nationwide as the first stage of Meaningful Use wraps up. Less than four months after the Alaska DHHS’s $1.7 million settlement we reported on in August, another practice has been slammed with a $1.5 million fine for a potential breach of the Health Insurance Portability and Accountability Act.
Two years after alerting the OCR of their own security breach in the form of a stolen laptop, Massachusetts Eye and Ear Associates Inc. and its associated hospital Massachusetts Eye and Ear Infirmary (collectively referred to as “MEEI”) have agreed to pay the U.S. Department of Health and Human Services (HHS) $1.5 million to settle potential HIPAA violations.
According to reports, the laptop did not contain patient billing information, and none of the patients in question appear to have experienced any negative side effects as a result of the theft. Regardless, it was enough for the OCR to launch a full investigation as they fell down the rabbit hole of deficiencies and overlooked security gaps in MEEI’s system, exposing them in the following areas:
- Failing to conduct a thorough analysis of the risk to the confidentiality of ePHI maintained on portable devices
- Failure to implement security measures sufficient to ensure the confidentiality of ePHI that MEEI created, maintained and transmitted using portable devices
- Not adopting and implementing policies and procedures to address security incident identification, reporting and response
The OCR investigation revealed that these failures continued over an extended period of time, “demonstrating a long-term, organizational disregard for the requirements of the Security Rule,” according to the OCR.
Despite MEEI’s reported “disappointment” in the OCR’s pricey ruling (based on “lack of patient harm” and the hospital’s relatively low annual revenues), the fine stands – and should serve as a reminder that even smaller practices are at risk for crippling fines if found in non-compliance.
We can only anticipate that these audits – and subsequent fines – will become increasingly more frequent and severe. If you aren’t 100% sure your practice would be safe and sound in the face of a scrutinizing review, DataFile can help. We specialize in securing practices with comprehensive security risk analyses and even the option to outsource medical records management including the full transfer of HIPAA liability under the HITECH Act. Make sure your practice doesn’t get caught with red hands