The Department of Health and Human Services (HHS) and the Massachusetts Eye and Ear Infirmary (MEEI) have agreed to a settlement for a HIPAA Security Rule violation. MEEI has agreed to pay $1.5 million for losing personal health information and then failing to notify patients of the data breach. They must also comply with a corrective action plan and send annual reports to HHS for the next three years.
The breach occurred when a laptop with un-encrypted personal health information was stolen. After MEEI learned of the breach they failed to notify the patients affected as required by the HITECH updates to HIPAA.
This looks like a fine intended to scare other health providers into compliance with the HIPAA mandates. This is a far cry from the first ten years of the law where no actions were taken by HHS. There is clearly an increase in the desire to enforce the law.
There are some basic steps that every covered entity should be taking to prevent fines like the one that MEEI was compelled to accept. For electronic health records everything should be encrypted if it leaves the office. This includes laptops and magnetic media like disks or backup hard drives.
For any paper that contains personal health information make sure that it is properly destroyed. The most cost effective solution is to use an ongoing shredding service. This frees up office staff to focus on patients and provides documentation that protects medical practices from false HIPAA judgments.