Perhaps the good news is that the Office for Civil Rights (OCR) accepts payment plans. But the bad news is that one physician momentarily forgetting his backpack cost his employer $1.5 million.
OCR has made it clear, once again, that it will not tolerate covered entities’ lack of policies and procedures to comply with the security rule. Last month it settled allegations of noncompliance against Massachusetts Eye and Ear Infirmary, and its affiliated physician group, by accepting a $1.5 million payment in three installments. OCR also imposed a three-year corrective action plan on the organization, which was founded in 1864.
The sanctions came despite Mass. Eye and Ear’s contention that it has “no indication that any patients were harmed by this isolated incident,” which occurred on Feb. 19, 2010. A physician with Massachusetts Eye and Ear Infirmary lost his personal laptop containing demographic and health information of approximately 3,526 patients that the doctor had treated or studied in research.
OCR stresses the dangers of allowing physicians and others to use their own devices in the workplace without proper HIPAA security policies in place. In this incidence, the physician owned the laptop but it contained official records from the entity. Massachusetts Eye and Ear had very little knowledge of and had very little control over when their staff would be allowed to access the entity’s files using their personal devices. OCR and the National Coordinator for Health Information Technology (known as ONC) are working on joint guidance about securing mobile devices.
This article was originally published by AIS Health Report on Patient Privacy. To view, click here.