Physician practices and other health care providers, health plans, health care clearinghouses and their business associates have yet another $1 million plus reminder of the importance of taking proper steps to secure electronic protected health information and take other steps required to comply with the Health Insurance Portability & Accountability Act of 1996 (HIPAA).
Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (collectively referred to as “MEEI”) will pay the U.S. Department of Health and Human Services’ (HHS) $1.5 million and take a series of corrective actions to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule under the resolution agreement available here (“Resolution Agreement”) announced by the Department of Health & Human Services (HHS) Office of Civil Rights (OCR) on September 17, 2012.
MEEI Resolution Agreement
The Resolution Agreement settles charges that resulted from an OCR investigation commenced in response to a HIPAA breach report submitted by MEEI reporting the theft of an unencrypted personal laptop containing the electronic protected health information (ePHI) of MEEI patients and research subjects. The laptop information included patient prescriptions and clinical information.
OCR’s investigation indicated that MEEI failed to take necessary steps to comply with certain requirements of the HIPAA Security Rule, such as conducting a thorough analysis of the risk to the confidentiality of ePHI maintained on portable devices, implementing security measures sufficient to ensure the confidentiality of ePHI that MEEI created, maintained, and transmitted using portable devices, adopting and implementing policies and procedures to restrict access to ePHI to authorized users of portable devices , and adopting and implementing policies and procedures to address security incident identification, reporting, and response. OCR’s investigation indicated that these failures continued over an extended period of time, demonstrating a long-term organizational disregard for the requirements of the Security Rule.
To settle the charges, MEEI will pay a $1.5 million settlement to OCR. In addition, the Resolution Agreement also requires MEEI to adhere to a corrective action plan which includes reviewing, revising and maintaining policies and procedures to ensure compliance with the Security Rule, and retaining an independent monitor who will conduct assessments of MEEI’s compliance with the corrective action plan and render semi-annual reports to HHS for a 3-year period.
High Dollar Resolution Agreements Increasingly Common
The MEEI Resolution Agreement follows on the resolution agreement previously announced this year with Arizona-based Phoenix Cardiac Surgery, P.C. (PCS). That resolution agreement required PCS to pay $100,000 and take corrective action to implement policies and procedures to safeguard the protected health information of its patients to settle OCR charges PCS violated HIPAA.
Health care providers and other HIPAA-covered entities should heed the MEEI, PSC and other recent settlements as the latest signal of the risks that health care providers and other covered entities run by failing to adequately implement and administer appropriate HIPAA compliance practices.
Following the announcement by OCR last month that Blue Cross Blue Shield of Tennessee (BCBST) would pay $1,500,000 to resolve HIPAA violations charges, and the latest in a series of Resolution Agreements announced by OCR in recent years, the PCS highlights the willingness to sanction health care providers and other covered entities of all sizes. “The case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules,” said Leon Rodriguez, director of OCR. “We hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.”
Enforcement Actions Highlight Growing HIPAA Exposures For Covered Entities
Like the PCS, BCBST and other announced resolution agreements, the MEEI Resolution Agreement provides more evidence of the growing exposures that health care providers, health plans, health care clearinghouses and their business associates need to carefully and appropriately manage their HIPAA responsibilities. See HIPAA Heats Up: HITECH Act Changes Take Effect & OCR Begins Posting Names, Other Details Of Unsecured PHI Breach Reports On Website. Covered entities are urged to heed these warning by strengthening their HIPAA compliance and adopting other suitable safeguards to minimize HIPAA exposures. For tips, see here.
For Help With Monitoring Developments, Compliance, Investigations Or Other Needs
If you need assistance monitoring federal health reform, policy or enforcement developments, or to review or respond to these or other health care or health IT related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, can help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 24 years experience advising health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others.
Ms. Stamer also regularly works with OCR and other agencies, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. For instance, Ms. Stamer for the second year will serve as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR. Her insights on HIPAA risk management and compliance frequently appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.
 The Breach Notification Rule also requires that covered entities report smaller breaches annually to OCR as part of a consolidated disclosure.
For more tips, see here.
Other Recent Updates & Resources
If you found this information of interest, you also may be interested in the following recent updates on health care, health plan and employee benefits, human resources and other risk management and compliance matters. Recent examples on health care compliance and risk management matters include:
- Dallas Business Journal Health Care Fraud Article Quotes Stamer
- Comment Period Extended To 3/21 On Proposed Extension Of Minimum Wage, Overtime To In-Home Caregivers
- 2 Doctors, 4 Nurses Join 11 Defendants Charged in $20M Home Health Fraud, Kickback, Money Laundering & Tax Evasion Sting
- States Medicaid & Other Health Care Fraud Enforcement Successes Continue
- Data Mining, Statistical Profiling Play Key Role In Arrest of Dallas Doctor, Office Manager & 5 Home Health Agency Owners
- ONC Releases Proposed Rules For Meaningful Use Stage 2
- DOJ & HHS Health Care Fraud Enforcement Nets $4 Billion + In 2011
- Update Charity and Sliding Fee Scale Policies For 2012 Federal Poverty Rate Changes
- Texas Physicians Get New Option For Resolving Some Medical Board Complaint
- Broad-Reaching Prosecution Of Individuals Participating In Operations Of Companies Convicted Of Fraud Shows Risks Of Participation
- Hospitals Can Expect CMS To Add Hospital Incident Reporting To Surveys In Response To OIG Report
- North Texas Medical Supply Company Owner Indicted For Health Care Fraud Now Also Charged With Immigration Fraud
- DOL Proposes Tighter Overtime, Minimum Wage Rules For Home Care Workers, Continues Scrutiny Of Health Care Employers
- DFW Hospital Council Foundation Among 26 Organizations Selected To Lead Quality Effort
- Former Houston Texas Physician Gets 70 Month Prison Sentence For Fraud Conviction
- Euless Healthcare Corporation Owner, Associates Face Conspiracy And Health Care Fraud Charges For Alleged Submission Of $700,000+ In Fraudulent Health Care Claims
For additional resources and publications training materials by Ms. Stamer, see here.
If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here. For important information concerning this communication click here. If you do not wish to receive these updates in the future, send an e-mail with the word “Remove” in the Subject to here.
©2012 Cynthia Marcotte Stamer, P.C. nonexclusive license to republish granted to Solutions Law Press, Inc. All other rights reserved.
[*] The Breach Notification Rule also requires that covered entities report smaller breaches annually to OCR as part of a consolidated disclosure.