A Massachusetts provider, yesterday, agreed to pay $1.5 million to settle potential violations of the HIPAA Security Rule.  The provider also agreed to abide by a corrective action plan requiring improvement in policies and procedures to safeguard the privacy and security of patient protected health information (PHI) and retain an independent monitor for a three-year period. 

The settlement comes after an investigation from the U.S. Department of Health and Human Services Office of Civil Rights (OCR) following a breach report submitted by the provider.  The breach report noted the theft of an unencrypted personal laptop containing electronic PHI (ePHI) of the provider’s patients and research subjects.  OCR found that the provider failed, over an extended period of time, to comply with various Security Rule requirements including:

• Conducting a thorough risk analysis regarding the confidentiality of ePHI maintained on portable devises
• Implementing security measures sufficient to ensure the confidentiality of ePHI that the provider created, maintained, and transmitted using portable devices
• Adopting and implementing policies and procedures to restrict access to ePHI to authorized users of portable devices
• Adopting and implementing policies and procedures to address security incident identify, reporting, and response.

OCR noted that the provider’s continued failures demonstrate “a long-term, organizational disregard for the requirements of the Security Rule.”  Yesterday’s settlement is a large settlement for alleged provider HIPAA violations.  It emphasizes the need for providers to consistently update their risk analysis and policies and procedures, prioritize HIPAA compliance, and maintain compliance programs with continued monitoring.