On September 17, the Department of Health and Human Services (HHS) announced a settlement with Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (collectively, MEEI) for alleged violations of the HIPAA Security Rule.  Under the Resolution Agreement, MEEI agreed to pay $1.5 million to HHS and take corrective action to improve its policies and procedures to ensure compliance with HIPAA.

HHS initiated an investigation after MEEI submitted a breach report in April 2010, which reported the theft of an unencrypted laptop containing the electronic protected health information (e-PHI) of MEEI patients and research subjects.  Through its investigation, HHS found that MEEI:

  • did not demonstrate that it conducted a thorough risk analysis, as required by the HIPAA Security Rule, on an ongoing basis as part of its security program
  • did not implement security measures sufficient to ensure the confidentiality of e-PHI on portable devices
  • did not adequately adopt or implement policies and procedures regarding security incidents; access to portable devices containing e-PHI; the receipt and removal of portable devices into, out of, and within the facility
  • did not adequately adopt or implement technical policies and procedures to allow access to e-PHI using portable devices only to authorized persons or software programs; and did not implement an appropriate alternative measure to encryption or document its decision not to encrypt.

Each finding specifies a period of non-compliance, ranging from the compliance date of the Security Rule (April 2003) to specific dates in 2009 and 2010.  It is not clear from the Resolution Agreement whether HHS listed end dates because MEEI came into compliance by those dates, or HHS could not prove non-compliance after those dates.  However, MEEI released a statement suggesting that it had addressed all of the HHS allegations between October 2009 and June 2010.

The Resolution Agreement requires MEEI to enter into a Corrective Action Plan, which includes the review and revision of policies and procedures, risk assessment, and training for staff.

Along with the recent HHS settlements with Alaska Medicaid, Phoenix Cardiac Surgery, and Blue Cross Blue Shield of Tennessee, this settlement suggests that HIPAA enforcement actions are increasing.  Moreover, given MEEI’s statement regarding corrective action, the settlement raises big questions about the extent of liability for past non-compliance that has been corrected.