These days, there are plenty of news stories about HIPAA breaches. If they aren’t getting your attention, this one should: The Massachusetts Eye and Ear Infirmary was fined $1.5 million in September for losses related to a single laptop.
The Office of Civil Rights (OCR), which is responsible for the enforcement of HIPAA, found that the hospital’s policies, procedures and operations to protect information stored on portable devices weren’t adequate.
Mobile devices like laptops are frequently stolen or misplaced. Yet a surprising number of health care organizations aren’t taking the proper precautions to make sure they are secure. And with settlements like the one with the Massachusetts Eye and Ear Infirmary, the OCR has shown that it is getting more aggressive about enforcement.
“After years of dormancy, HIPAA once again stepped into the spotlight in 2009 when it was amended under the HITECH Act,” reports an analysis by law firm Lathrop and Gage, LLC. “Since that time, providers have seen increased scrutiny, more frequent penalties and expanded applicability of the law.”
Other recent significant enforcement activities, according to Lathrop and Gage:
- Blue Cross Blue Shield of Tennessee Settlement. In March, Blue Cross Blue Shield of Tennessee was fined $1.5 million related to the theft of unencrypted hard drives containing more 1 million individuals’ protected health information.
- Phoenix Cardiac Surgery Settlement. In April, the group was fined $100,000 in response to a complaint related to a publicly available internet-based calendar utilized by the practice.
- Alaska Department of Health and Social Services. In June, the Alaska Department of Health and Social Services was fined $1.7 million associated with the theft of a USB hard drive that may have contained protected health information.
The law firm strongly advises health care providers to review and revise existing HIPAA compliance plans to ensure policies and procedures are in place to withstand more intense scrutiny from the OCR.