Skip to main content

MEEI Breach Notification Prompts OCR Investigation and Settlement

Written by Dianne Bourque

The most recent, published Office for Civil Rights (OCR) HIPAA enforcement action serves as an important reminder that self-reported breaches can and do lead to investigations and enforcement.

Massachusetts Eye and Ear Infirmary (MEEI) was following the HITECH breach notification rules when it reported the theft of an unencrypted laptop in 2010.  The laptop contained the protected health information of MEEI patients and research subjects, including prescription and other health information.  OCR investigated the breach and brought an enforcement action, citing MEEI for a number of HIPAA security rule violations.  Not unexpectedly, OCR was focused on laptop security and the security of portable devices generally, which has been an enforcement priority of OCR.

The MEEI enforcement provides important reminders for covered entities:

1. Encrypt laptops and other portable devices.

2. Keep track of portable devices.

3. The OCR trend toward seven-figure fines is continuing (the MEEI settlement was $1.5 million).

To read the MEEI resolution agreement, click here.

Subscribe To Viewpoints

Authors

M. Daria Niewenhous is a Mintz Member with a well-established health care practice. National and local providers rely on Daria’s experience to navigate capital projects, mergers & acquisitions, integration, and other strategic initiatives; adverse events; and licensing, contracting, patient care/risk management, and other complex legal matters.
Dianne J. Bourque advises health care clients on licensure, regulatory, contractual, risk management, and patient care matters for Mintz. Dianne counsels researchers and research sponsors on FDA and OHRP regulations. She also counsels clients on data privacy issues, including HIPAA standards.