Category: Business Law
In 2010, the Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates Inc. suffered a data breach issue in which information for around 3,600 individuals was lost. That prompted an Office for Civil Rights audit to determine if the policies and procedures complied with the HIPAA Security Rule.
Last month, HHS announced that a settlement had been reached in the matter.
This data breach issue did not occur through some attack by the Anonymous group, a zero-day vulnerability exploited by some third party, or even a compromised email or social media account. What happened was very simple, and it's the same story that seems to happen over and over again: An employee's unencrypted laptop which contained sensitive information was lost or stolen.
The price tag resulting from the settlement, however, is not very simple. Based on the subsequent investigation that came out of the breach, MEII now must pay $1.5M for potential violations of the HIPAA Security Rule. Indeed, the potential violations found against MEII in the subsequent investigation appear to be simple failures around compliance, such as, for example, the failure to perform a risk analysis, the failure to adequately adopt or implement policies and procedures to address security incident identification, reporting and response, and the failure to implement security measures that ensure the confidentiality of electronic health information on portable devices.
This example stresses the need for organizations that must comply with the HIPAA Security Rule to put forth the time and energy into compliance in order to avoid these types of situations in the future. Employees at every level have lost portable devices for as long as we've had them. For example, the HHS website which discloses a list of breaches of unsecured protected health information affecting 500 or more individuals lists the word "Laptop" 34 times and "Portable Electronic Device" 10 times under the field of "Location of Breached Information."
Importantly, the MEII situation discussed above resulted from an investigation and audit into MEII’s HIPAA Security Rule compliance. Although this investigation stemmed from a data breach, OCR has established a pilot to perform random audits of covered entities in a similar vein. This pilot program should increase in activity in 2013, and any covered entity may find themselves going through something similar to what MEII experienced.
Nick Merker is an Intellectual Property Attorney at Ice Miller LLP
To search the archive of Perspectives articles, go to the Search page