Mobile Devices and HIPAA Penalties: Lessons from the First Targeted Enforcement Action

Well, that’s timely. I had just posted a HIPAA Mobile Devices Policy when I received notification of a HIPAA civil monetary penalties settlement involving, you guessed it, mobile devices. (They call them “portable devices,” same diff.) Sometimes the stars align . . .

Anyway, according to the press release from the DHHS Office of Civil Rights (“OCR”) (emphasis added):


Massachusetts provider settles HIPAA case for $1.5 million

Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates Inc. (collectively referred to as “MEEI”) has agreed to pay the U.S. Department of Health and Human Services (HHS) $1.5 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.  MEEI also agreed to take corrective action to improve policies and procedures to safeguard the privacy and security of its patients’ protected health information.

The investigation by the HHS Office for Civil Rights (OCR) followed a breach report submitted by MEEI, as required by the Health Information Technology for Economic and Clinical Health Act (HITECH) Breach Notification Rule, reporting the theft of an unencrypted personal laptop containing the electronic protected health information (ePHI) of MEEI patients and research subjects.  The information contained on the laptop included patient prescriptions and clinical information.

OCR’s investigation indicated that MEEI failed to take necessary steps to comply with certain requirements of the Security Rule, such as conducting a thorough analysis of the risk to the confidentiality of ePHI maintained on portable devices, implementing security measures sufficient to ensure the confidentiality of ePHI that MEEI created, maintained, and transmitted using portable devices, adopting and implementing policies and procedures to restrict access to ePHI to authorized users of portable devices, and adopting and implementing policies and procedures to address security incident identification, reporting, and response.  . . .

In addition to the $1.5 million settlement, the agreement requires MEEI to adhere to a corrective action plan, which includes reviewing, revising, and maintaining policies and procedures to ensure compliance with the Security Rule. An independent monitor will conduct assessments of MEEI’s compliance with the corrective action plan and render semi-annual reports to HHS for a 3-year period.


More useful information is included in the Resolution Agreement and Corrective Action Plan, which indicate specifically that MEEI failed to do the following:

  •  “[F]ully evaluate the likelihood and impact of potential risks to the confidentiality of ePHI maintained in and transmitted using portable devices, implement appropriate security measures to address such potential risks, document the chosen security measures and the rationale for adopting those measures, and maintain on an on-going basis reasonable and appropriate security measures.”

  •  “[A]dequately adopt or implement policies and procedures to address security incident identification, reporting, and response.”

  •  “[A]dequately adopt or implement policies and procedures to restrict access to authorized users for portable devices that access ePHI or to provide it with a reasonable means of knowing whether or what type of portable devices were being used to access its network[.]”

  •  “[A]dequately adopt or implement policies and procedures governing the receipt and removal of portable devices into, out of, and within the facility . . . MEEI had no reasonable means of tracking non-MEEI owned portable media devices containing its ePHI into and out of its facility, or the movement of these devices within the facility.”

  •  “[A]dequately adopt or implement technical policies and procedures to allow access to ePHI using portable devices only to authorized persons or software programs . . . MEEI did not implement an equivalent, reasonable, and appropriate alternative measure to encryption that would have ensured confidentiality of its ePHI or document the rationale supporting the decision not to encrypt.”


Without knowing any inside information, my impression is that MEEI probably just let its users do their thing with mobile devices without thinking through the compliance aspects. Certainly it appears that they didn’t do any risk assessment or implement any policies and procedures for their control. This would account for the $1.5 million fine, and is all too consistent  with the way some organizations go about compliance.

I’m sure they had a HIPAA compliance program of some sort, and I wouldn’t be surprised if it were checklist-based, and because the checklist didn’t include mobile devices they didn’t get included. Checklists are great for making sure you have something covering all your bases for regulatory purposes, but are not the same thing as a risk analysis – and the HIPAA Security Rule really is risk-based.

I also find it interesting that MEEI’s policies and procedures for mobile devices will be subject to OCR approval, and that MEEI will be required to report any noncompliance with those P&Ps by its workforce, be subject to independent oversight by a “Monitor,” and be required to make regular reports to OCR. I will be very interested to see what forms OCR accepts, as I am sure many will, and I have to think this is going to be a rather burdensome oversight process for MEEI. Fortunately it will apparently only go on for about three years . . .