November 18, 2012

On September 17, 2010, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced that it had entered into a resolution agreement (i.e., settlement) with Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates (collectively, MEEI) which required MEEI to pay $1.5 million to OCR and enter into a three-year corrective action plan with the agency. The agreement related to the threat of a laptop belonging to an MEEI-affiliated physician while the physician was lecturing in South Korea in 2010. Although the laptop included certain data security features, it was not encrypted. The laptop reportedly held protected health information (PHI) for more than 3,600 of MEEI’s patients.

Unfortunately, the MEEI breach involves facts that are becoming all too familiar as hospitals and other “covered entities” struggle to maintain the privacy and security of their patients’ personal information, as required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). To continue reading, click the button below:

View file