For the second time in three months, federal authorities have issued a hefty financial penalty stemming from a HIPAA compliance investigation after a relatively small breach.
The Department of Health and Human Services' Office for Civil Rights has entered a settlement with Massachusetts Eye and Ear Infirmary that includes a $1.5 million penalty. The resolution agreement cites a number of HIPAA violations discovered during an OCR investigation into the 2010 theft of an unencrypted laptop.
Massachusetts Eye and Ear, a Boston-based teaching hospital of Harvard Medical School, has agreed to a corrective action plan to address a number of compliance issues. The plan requires the hospital to review, revise, and maintain policies and procedures to ensure compliance with the HIPAA Security Rule. Plus, the agreement requires that an independent monitor conduct assessments of compliance with the corrective action plan and submit semi-annual reports to HHS for three years.
The circumstances in the case are similar to a recent HIPAA breach investigation involving the Alaska Department of Health and Social Services (see: Alaska Breach: Tip Of the Iceberg). In that case, the state agency paid a $1.7 million settlement as part of a June resolution agreement related to a pattern of non-compliance discovered by OCR when it investigated the theft of a stolen unencrypted storage device that allegedly contained data on about 500 Medicaid beneficiaries (see: Inside A HIPAA Breach Investigation).
Rebecca Herold, an independent security consultant who heads the firm Rebecca Herold & Associates, says the latest OCR settlement serves as yet another wake-up call for organizations to improve their HIPAA compliance efforts.
"The $1.5 million sanction clearly points out the need for all organizations of all sizes that possess personal information, such as PHI [protected health information], to implement long-held, proven and widely accepted security controls for all types of personal information," she says.
"Too many organizations take a wait-and-see attitude when it comes to implementing effective security controls. I've spoken with the leaders within many organizations - covered entities and many business associates - who indicate that they would rather wait and be told to implement encryption, employee training and other necessary security controls, before they make the associated investments. The thought is that they would rather not pay for what they see as unnecessary security until after [a breach] proves to them that it is necessary."
Breach prevention is significantly less expensive than the cost of federal sanctions, breach response and clean-up activities and reputation damage, Herold stresses. "It should be a no-brainer to invest in encrypting mobile computing devices and storage media; encryption is now comparatively inexpensive and easy to install and use."
OCR launched its investigation of the Massachusetts hospital after it reported the February 2010 theft of a laptop computer belonging to neurologist Robert Levine, M.D., who was traveling in South Korea for a lecture (see: New Breach: Stolen Laptop Disabled Remotely). The unencrypted computer contained information on more than 3,500 patients treated from February 1988 to February 2010, as well as 68 who were participants in a research project.
During OCR's subsequent investigation, the agency found that the hospital "failed to take necessary steps to comply with certain requirements of the HIPAA Security Rule, such as conducting a thorough analysis of the risk to the confidentiality of ePHI [electronic personal health information] maintained on portable devices; implementing security measures sufficient to ensure the confidentiality of ePHI that Mass Eye and Ear created, maintained and transmitted using portable devices; adopting and implementing policies and procedures to restrict access to ePHI to authorized users of portable devices; and adopting and implementing policies and procedures to address security incident identification, reporting, and response," according to an HHS statement.
"OCR's investigation indicated that these failures continued over an extended period of time, demonstrating a long-term, organizational disregard for the requirements of the Security Rule," the statement notes.
Executives at Massachusetts Eye and Ear Infirmary said in a statement that during its investigation, OCR identified six areas of "potential past non-compliance" which the hospital addressed between October 2009 and June 201. "These areas of potential non-compliance were primarily focused on controls to protect health information accessed or stored on portable electronic devices, such as laptop computers," the statement notes.
"Given the lack of patient harm discovered in this investigation, Mass. Eye and Ear was disappointed with the size of the fine, especially since the independent specialty hospital's annual revenue is very small compared to other much larger institutions that have received smaller fines," the statement notes.
Hospital executives declined to offer further comment.