This week, the HHS Office for Civil Rights announced a $1.5 million settlement with Massachusetts Eye and Ear Infirmary (MEEI) and its affiliated physician group for violations of the HIPAA Security Rule due to theft of an unencrypted laptop. The MEEI settlement is the third one announced this year with a settlement amount of $1.5 million or more. OCR is the enforcer of both the HIPAA privacy and security rules, as well as the breach notification requirements of the HITECH Act, and it has made clear that if while investigating a complaint regarding a violation of one rule, it finds violations of the other rules, it will include the other violations in its investigation.
OCR Director Leon Rodriguez, in an interview with AIS’s Report on Patient Privacy, emphasized that to determine the settlement amount, the office takes into account not only the number of patients affected, but also these factors: the action the covered entity took upon discovery, the history of noncompliance and whether there are systemic issues underlying the violations. In the case of MEEI, OCR concluded that the violations were the result of “long-term, organizational disregard for the requirements of the Security Rule.” In 2011, it settled with Mass General Hospital in Boston for $1 million even though only 192 patient records were involved.
OCR is currently developing its permanent audit program, which will be designed using results from the pilot audit program that concludes at the end of this year. Targets will be selected based on complaints and breach notification reports, and “frequent-complaint-flyers” — a term coined by Rodriguez — are likely to receive audit priority. And beginning in 2013 business associates also will be audit targets.
Does your organization have a response plan if OCR knocks on the door?