Health plans, health care providers, health care clearinghouses and their business associates have yet another $1 million plus reminder of the importance of taking proper steps to secure electronic protected health information and take other steps required to comply with the Health Insurance Portability & Accountability Act of 1996 (HIPAA).

Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (collectively referred to as “MEEI”) will pay the U.S. Department of Health and Human Services’ (HHS) $1.5 million and take a series of corrective actions to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule under the resolution agreement available here (“Resolution Agreement”) announced by the Department of Health & Human Services (HHS) Office of Civil Rights (OCR) on September 17, 2012. 

MEEI Resolution Agreement

The Resolution Agreement settles charges that resulted from an OCR investigation commenced in response to a HIPAA breach report submitted by MEEI reporting the theft of an unencrypted personal laptop containing the electronic protected health information (ePHI) of MEEI patients and research subjects.  The laptop information included patient prescriptions and clinical information. 

OCR’s investigation indicated that MEEI failed to take necessary steps to comply with certain requirements of the HIPAA Security Rule, such as conducting a thorough analysis of the risk to the confidentiality of ePHI maintained on portable devices, implementing security measures sufficient to ensure the confidentiality of ePHI that MEEI created, maintained, and transmitted using portable devices, adopting and implementing policies and procedures to restrict access to ePHI to authorized users of portable devices , and adopting and implementing policies and procedures to address security incident identification, reporting, and response.  OCR’s investigation indicated that these failures continued over an extended period of time, demonstrating a long-term organizational disregard for the requirements of the Security Rule.

To settle the charges, MEEI will pay a $1.5 million settlement to OCR.  In addition, the Resolution Agreement also requires MEEI to adhere to a corrective action plan which includes reviewing, revising and maintaining policies and procedures to ensure compliance with the Security Rule, and retaining an independent monitor who will conduct assessments of MEEI’s compliance with the corrective action plan and render semi-annual reports to HHS for a 3-year period.

Enforcement Actions Highlight Growing HIPAA Exposures For Covered Entities

The MEEI Resolution Agreement follows on the resolution agreements previously announced this year against a health plan and various health care providers, all but one of which resulted in a settlement agreement of more than $1 million.

For instance, earlier this year, OCR required that Blue Cross Blue Shield of Tennessee (BCBST) to pay $1.5 million to resolve HIPAA violations charges.

Like the PCS, BCBST and other announced resolution agreements, the MEEI Resolution Agreement provides more evidence of the growing exposures that health care providers, health plans, health care clearinghouses and their business associates need to carefully and appropriately manage their HIPAA responsibilities. See HIPAA Heats Up: HITECH Act Changes Take Effect & OCR Begins Posting Names, Other Details Of Unsecured PHI Breach Reports On Website. 

If you need assistance monitoring HIPAA and other health and health plan related regulatory policy or enforcement developments, or to review or respond to these or other health care or health IT related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.

Board Certified in Labor & Employment Law, Past Chair of the ABA RPTE Employee Benefit & Other Compensation Arrangements Group, Co-Chair and Past Chair of the ABA RPTE Welfare Plan Committee, Vice Chair of the ABA TIPS Employee Benefit Plans Committee, Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 24 years experience advising health plan and employee benefit, insurance, financial services, employer and health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others.

For the past two years, Ms. Stamer has served as the  scribe for the ABA Joint Committee on Employee Benefits agency meeting with OCR.   Ms. Stamer also regularly works with OCR, FTC, USSS, FBI and state and local law enforcement on privacy, data security, health care, benefits and insurance and other matters, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. For instance, Ms. Stamer for the second year will serve as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR. Her insights on HIPAA risk management and compliance frequently appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.  You can get more information about her HIPAA and other experience here.

If you need assistance with these or other compliance concerns, wish to inquire about arranging for compliance audit or training, or need legal representation on other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here.

You can review other recent publications and resources and additional information about the other experience of Ms. Stamer here. Examples of some recent publications that may be of interest include:

• Model Language May Aid Section 83(b) Elections Even As Executive & Other Special Compensation Carry Growing Liability Traps
• Stamer Speaks On “The Practical Nitty Gritty For Coping With Health Care Reform NOW” 9/25 At DFW Web Meeting
• Labor Risks Rising For Employers Despite NLRB Loss Of Arizona Secret Ballot Challenge
• USI Advisors Will Pay $1.27 Million To Settle Charges It Violated ERISA Fee Disclosure Requirements
• Wal-Mart Settlement Shows ADA Risks When Considering Employee Return To Work Accommodation Requests & Inquiries
• Stamer Speaks On HIPAA Developments On 9/14 At ABA Joint Tax/RPTE Fall Meeting In Boston
• Employer Pays $475,000 To Settle ADA Discrimination Lawsuit Challenging Medical Fitness Testing For EMTs, Firefighters & Other Public Safety Worker’s
• Employers & Plan Fiduciaries Reminded To Confirm Credentials & Bonding For Internal Staff, Plan Fidiciaries & Vendors Dealing With Benefits
• HIPAA & Texas Law Require HIPAA Training. Register Now For August 14 HIPAA Update Workshop!
• EBSA Updates Guidance On Fee Disclosure Requirements For 401(k) Plan Brokerage Window Arrangements
• Federal Mandate That Employer Health Plans Must Cover 100% Of Contraceptive, Other Women’s Health Services With No Cost Sharing Now Effective
• Use NIH & Other Free Government Resources To Help Round Out Wellness Programs
• 96% Employers of 50+ Employees, 36% Employers of Smaller Employers Provide Health Coverage
• 12 Steps Every Employer With A Health Plan Should Do Now To Manage 2012-14 Health Plan Risks & Liabilities
• Congress Gives Defined Benefit Plan Sponsors Welcome Funding Relief, Raises PBGC Premiums & Makes Other Reforms
• IRS To Offer Help For U.S. Citizens Overseas With Foreign Retirement Plans, Dual Citizenship Tax Issues
• New EEOC State Discrimination Charge Data Helpful Employer Risk Assessment Tool Discrimination Exposures Grow
• Obama’s Reaffirms Commitment Prosecute Disability Discrimination To Mark Omlstead Anniversary
• IRS Changing Individual Taxpayer ID Number Application Requirements
• Insurer Group Health Inc. To Refund $500,00+ & Change Claims Practices To Settle NY AG Charges It Wrongfully Denied Coverage
• NLRB Moves To Promote Non-Union Employee Use of Collective Action Rights By Launching Webpage
• Making Wellness Work On A Shoestring Budget
• Tighten Defensibility of Criminal & Other Background Check Practices In Light of Labor Department Non-Discrimination Regulation & Enforcement Emphasis
• Review & Update Health Plan Mental Health Coverage As DOL Supplements Guidance On Health Plan Mental Health Parity Rules
• Western Mixers & Officers Ordered To Pay $1.2M+ For Improperly Using Benefit Plan Funds For Company Operations, Other ERISA Violations
• Plan Administrator Faces Civil & Criminal Prosecution For Allegedly Making Prohibited $3.2 Million Real Estate Investment
• Employee Plan Fee Disclosure Rules Clarified
• OIG: “Extremely High” Prescription Drug Retail Pharmacy Billings Warrant Tighter Medicare Part D Oversight & Controls.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here. For important information concerning this communication click here.

©2012 Cynthia Marcotte Stamer.  Non-exclusive right to republish granted to Solutions Law Press, Inc.   All rights reserved.

This entry was posted on Monday, September 17th, 2012 at 9:39 PM and is filed under Employers, Health Plans, HIPAA, Human Resources, Insurance. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.