Join ADAMember Log In




Two health care providers settle HIPAA cases

The theft of an unencrypted laptop and the use of an Internet appointment calendar have led two health care providers in separate states to settle cases with the federal government for potential HIPAA violations.

Image: Picture of HIPAA manual

Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates Inc. have agreed to pay the U.S. Department of Health and Human Services $1.5 million. MEII also agreed to take corrective action to improve policies and procedures to safeguard the privacy and security of its patients’ protected health information, according to an HHS news release.

The Office for Civil Rights began investigating MEII after the health care provider notified the office that an unencrypted personal laptop containing electronic protected health information of MEII patients and research subjects had been stolen. MEII reported the theft as required by the Health Insurance Portability and Accountability Act Breach Notification Rule.

OCR’s investigation concluded that MEII failed to:

  • conduct a thorough analysis of the risk to the confidentiality of electronic protected health information maintained on portable devices;
  • implement security measures sufficient to ensure the confidentiality of electronic protected health information was protected;
  • adopt and implement policies and procedures to restrict access to protected health information to authorized users of portable devices;
  • adopt and implement policies and procedures to address security incident identification, reporting and response.

The investigation indicated that these failures continued over an extended period of time, demonstrating a long-term organizational disregard for the requirements of the Security Rule.

According to a separate news release, Phoenix Cardiac Surgery also agreed to a corrective action plan and a settlement of $100,000. OCR launched an investigation after a report that the physician practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible.

OCR also discovered that the health care provider failed to:

  • implement adequate policies and procedures to safeguard patient information;
  • document that it trained any employees on its policies and procedures on the Privacy and Security Rules;
  •  identify a security official and conduct a risk analysis;
  • obtain business associate agreements with Internet-based email and calendar services where the provision of the service included storage of and access to its electronic patient health information.

“This case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules,” said Leon Rodriguez, OCR director. “We hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.”

The ADA Catalog offers several professional resource products to help dental office staff develop and implement a HIPAA compliance program. The ADA Complete HIPAA Compliance Kit (J598) includes The ADA Practical Guide to HIPAA Compliance: Privacy and Security Kit (J594, Manual and CD-ROM and update service through January 2013) and The ADA Practical Guide to HIPAA Training (J596, CD-ROM). The complete kit is $300 for members and $450 for nonmembers.

Also available as individual products, The ADA Practical Guide to HIPAA Compliance: Privacy and Security Kit is $225 for members and $337.50 for nonmembers. This updated manual combined the best-selling HIPAA Privacy and Security Manuals with up-to-date information on HIPAA Privacy and Security regulations. Developed especially for dentists, the guide provides a step-by-step plan to help prepare and implement a successful compliance program.

The ADA Practical Guide to HIPAA Training (J596, CD-ROM) offers two levels of training. Level one was designed to help fulfill the training requirement for dental office staff and level two helps managers who are developing and implementing their office’s HIPAA compliance program. The CD-ROM-based training program is $135 for members and $202.50 for nonmembers.

To order, call the ADA Member Service Center at 1-800-947-4746 or visit adacatalog.org.