The Massachusetts Eye and Ear Infirmary (“MEEI”) and Massachusetts Eye and Ear Associates, Inc. (“MEEA”) (hereinafter collectively referred to as “MEEI”), each of which is a nonprofit corporation, entered into a settlement agreement with the Department of Health and Human Services (“DHHS”) to resolve a breach of unsecured electronic health information (“ePHI”) that it had reported to DHHS. The violations that led to the settlement agreement in lieu of presumably greater civil money penalties included the following:
- MEEI did not demonstrate that it had conducted a thorough analysis of the risk to the confidentiality of ePHI on an on-going basis as part of its security management process from the compliance date of the Security Rule to October 29, 2009. In particular, MEEI did not fully evaluate the likelihood and impact of potential risks to the confidentiality of ePHI maintained in and transmitted using portable devices, implement appropriate security measures to address such potential risks, document the chosen security measures and the rationale for adopting those measures, and maintain on an on-going basis reasonable and appropriate security measures.
- MEEI’s security measures were not sufficient to ensure the confidentiality of ePHI that it created, maintained, and transmitted using portable devices to a reasonable and appropriate level.
- MEEI did not adequately adopt or implement policies and procedures to address security incident identification, reporting, and response.
- MEEI did not adequately adopt or implement policies and procedures to restrict access to authorized users for portable devices that access ePHI or provide a reasonable means of knowing whether or what type of portable devices were being used to access its network.
- MEEI did not adequately adopt or implement policies and procedures governing the receipt and removal of portable devices into, out of, and within the facility or have a reasonable means of tracking non-MEEI owned portable media devices containing its ePHI into and out of its facility, or the movement of these devices within the facility.
- MEEI did not adequately adopt or implement technical policies and procedures to allow access to ePHI using portable devices only to authorized persons or software nor did it implement an equivalent, reasonable, and appropriate alternative measure to encryption or document the rationale supporting the decision not to encrypt.
In addition to agreeing to pay $1.5 million to settle the matter, MEEI entered into a corrective action plan, requiring remediation of the above violations. For the complete settlement agreement, click here.
On September 17th, 2012,
posted in: HIPAA Compliance Blog by Jonathan Tomes Tags: breach, breach notification, compliance, EHR, EPHI, HHS, HIPAA, HIPAA compliance, HIPAA violation, HITECH, Jonathan P. Tomes, PHI, Privacy Rule, risk analysis, Security Rule