HHS Resolution Agreement
Contact: Mary Leach, 617-573-4170
Boston (Sept. 17, 2012) -- Massachusetts Eye and Ear has agreed to pay a $1.5 million fine to the Department of Health and Human Services (HHS) to address allegations that Mass. Eye and Ear failed to comply with certain requirements of the Health Insurance Portability and Accountability Act (HIPAA) standards that govern the security of electronic individually identifiable health information (the “Security Rule”).
Below is a statement from Mass. Eye and Ear.
“The review of Mass. Eye and Ear by the U.S. Department of Health and Human Services (HHS) was triggered by the hospital’s proactive self-reporting of a doctor’s unencrypted laptop being stolen while he was traveling abroad in 2010. Mass. Eye and Ear has no indication that any patients were harmed by this isolated incident.
As a result of that incident, Mass. Eye and Ear cooperated extensively with HHS as HHS conducted an investigation of the hospital’s compliance with the federal standards under the Health Insurance Portability and Accountability Act (HIPAA.) The HHS investigation identified six areas of potential past non-compliance which were addressed by Mass. Eye and Ear between October 2009 and June 2010. These areas of potential non-compliance were primarily focused on controls to protect health information accessed or stored on portable electronic devices, such as laptop computers.
The rapid advancement of mobile technology has been both a boon and a bane for healthcare providers. In the case of Mass. Eye and Ear, it has tremendous benefit for our doctors and our researchers, enabling them to collaborate and pursue their work while they are on the move. It has also created new challenges for the entire healthcare community in the area of security safeguards. Given the lack of patient harm discovered in this investigation, Mass. Eye and Ear was disappointed with the size of the fine, especially since the independent specialty hospital’s annual revenue is very small compared to other much larger institutions that have received smaller fines.
The agreement with HHS requires Mass. Eye and Ear to enter into a Corrective Action Plan (CAP), which includes risk assessment, the review and revision of policies and procedures, and the provision of training to our staff. Mass. Eye and Ear had already implemented many of the elements of the CAP as part of our ongoing programs to safeguard the health information of our patients. We will continue to work collaboratively with HHS and maintain our commitment to protecting our patients’ health information.”
For more information on the agreement, please visit http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/meei-agreement-pdf.pdf
Original announcement about the laptop data breach: http://www.masseyeandear.org/news/press_releases/archived/2010/#24