With a $1.5 million settlement agreement over a lost laptop, the Dept. of Health and Human Services is sending a signal to physicians and others that a violation of the Health Insurance Portability and Accountability Act comes with consequences, no matter the reason for it.
A doctor with the Massachusetts Eye and Ear Infirmary was travelling abroad in 2010 when his laptop was stolen. There was no evidence that the patient data stored on the computer were accessed. The hospital reported the incident to HHS, prompting an investigation that identified six areas of noncompliance with HIPAA privacy and security rules. HHS and the hospital announced Sept. 17 that they had reached a settlement and that the hospital would pay the $1.5 million and take corrective action to help ensure the security of mobile devices.
The agreement comes at a time when mobile and portable devices are considered one of the most vulnerable areas for breaches. Security of the devices often is overlooked in security assessments.
In an age when health information is stored and transported on portable devices such as laptops, tablets and mobile phones, special attention must be paid to safeguarding the information held on these devices, stated Leon Rodriguez, director of HHS Office for Civil Rights, in a prepared statement. This enforcement action emphasizes that compliance with the HIPAA privacy and security rules must be prioritized by management and implemented throughout an organization, from top to bottom.
The hospital, which was not required to admit guilt, concurred to address the areas where it was not in compliance. The areas included risk assessment, staff training and review and revision of policies and procedures. One area of data security the hospital missed was encryption. If the stolen laptop had been encrypted, the hospital would not have had to report the incident.
The hospital stated in a prepared statement that it was disappointed in the amount of the settlement, given its relatively small revenue. But it also stated the case underscores the challenges associated with the deployment of mobile and portable devices.
The rapid advancement of mobile technology has tremendous benefit for our physicians and our researchers, enabling them to collaborate and pursue their work while they are on the move, the hospitals statement said. It has also created new challenges for the entire health care community in the area of security safeguards.
Reviews of breaches reported to HHS indicate that mobile and portable devices are becoming one of the most vulnerable areas for security breaches.
One such report was published in August by South Florida accounting firm Kaufman, Rossin & Co. It found that 50% of breaches in 2011 were from laptops or other compromised locations that included all mobile devices. For breaches of information on laptops, 95% involved theft; for breaches of other, 44% involved theft and 42% involved loss. The reports authors stated they anticipate the number of breaches involving theft and loss to grow as more mobile devices make their way into health care, because they are more prone to loss and theft.
The settlement with the Massachusetts Eye and Ear Infirmary is one of several HHS has reached with practices and hospitals of all sizes that violated HIPAA rules. In April, HHS announced its first enforcement action against a small practice. Phoenix Cardiac Surgery, a five-physician practice with offices in Phoenix and Prescott, Ariz., concurred to pay $100,000 to settle charges stemming from complaints that its appointment calendar with patient names and procedures was made publicly available on its on-line scheduling system. The practice did not have to admit guilt.
Copyright 2012 American Medical Association. All rights reserved.
- California Blues will pay Los Angeles $2 million to settle recision lawsuit
- Ventas to receive $125 million as lawsuit settlement from HCP
- Big Tobacco Out Billions, but Still Kicking After Settlement
- CDC: Older Teens Often Text Behind the Wheel
- Will Large Soda Ban Help New York Obesity Battle? Seems Not
- $100,000 HIPAA fine designed to send message to small doctor practices
- Shingles Vaccine Deemed Safe in Large Study
- Smartphones: Boon for Visually Impaired
Submited at Sunday, September 30th, 2012 at 4:17 pm on Uncategorized by ethan
Comment RSS 2.0 - leave a comment - trackback