September 21, 2012 — Stolen or lost laptops accounted for roughly 1 in 5 incidents of footloose patient data reported to the federal government in 2011, according to a recent study by the accounting firm Kaufman Rossin.
If that statistic is not enough to convince out-and-about physicians to lock their laptops in their car trunks, the federal government will get their attention with a regulatory hammer. Just ask a group practice affiliated with the Massachusetts Eye and Ear Infirmary (MEEI), a specialty hospital in Boston.
In February 2010, a member of that group practice, now retired, had his unencrypted laptop stolen while he was lecturing in South Korea. The laptop contained demographic and health information on roughly 3600 patients. When it announced the theft 2 months later, MEEI stated that there was no evidence to suggest that anyone had accessed or misused the data in the computer. In addition to apologizing for the data breach, MEEI said it was encrypting laptops connected to its network and educating its staff about limiting the amount of patient information stored on the devices.
Those changes were not enough for the Department of Health and Human Services (HHS). Its Office for Civil Rights, which enforces the security provisions of the Health Insurance Portability and Accountability Act (HIPAA), investigated the case of the filched laptop. The inquiry indicated that MEEI and its affiliated medical group demonstrated "a long-term, organizational disregard for the requirements of the security rule," such as analyzing the risks associated with mobile electronic devices and taking the necessary precautions, according to HHS.
On September 17, HHS announced that MEEI and an affiliated medical group, Massachusetts Eye and Ear Associates, had agreed to pay the government $1.5 million to settle "potential violations" of HIPAA. The Massachusetts providers also agreed to a corrective action plan to stay out of HIPAA trouble in the future.
The settlement represents neither an admission of liability or wrongdoing by the providers nor a concession by the government that the providers did not violate HIPAA.
In a statement posted on its Web site, MEEI said that it has already implemented many of the requirements of the corrective action plan. It called mobile computer technology "both a boon and bane for healthcare providers," helping them work on the run, but also giving them security headaches. MEEI expressed disappointment at the size of the settlement, "given the lack of patient harm discovered in this investigation" and "especially since the independent specialty hospital's annual revenue is very small compared to other much larger institutions that have received smaller fines."
An MEEI spokesperson told Medscape Medical News that hospital officials declined to say anything about the settlement beyond what was posted on the Web site.
Commentary: While the importance of keeping data safe in our computers is highlighted in this article, I am actually amazed at the amount of fine being charged here. This was a problem limited to a single individual, there was no harm to any patient, and there was no evidence that any such action was attempted by the thief. These kind of fines may have a salutary effect on organizations, but the magnitude would also add to health costs, and appears unreasonable in my opinion.