I’m not really surprised about this one as in my book is an old issue that WILL NOT HAPPEN TO ANY OF YOU!!! Simply put, Eye and Ear Infirmary and its affiliated physician group, Massachusetts Eye and Ear Associates, lost a laptop with patient records in 2010. Which is why I said is an old issue because it took them almost two years to get to a settlement. In other words, the HIPAA breaches that are found this year may take one or more years to get settled. This is not necessarily good news when you consider that the time it took was more than likely due to negotiations where the HIPAA violators were paying a good amount to their lawyers to assist and protect them. That means that the potential settlement and fines could have been a lot higher. The 17 page resolution agreement and settlement with Boston-based Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates (MEEI) was the result of a reported 2010 theft of a laptop computer storing 3,621 patient records. The Office for Civil Rights contends that in addition to failing to secure data MEEI did not comply with several other HIPAA security-rule requirements, including performing “a thorough analysis of the risk to the confidentiality” of individually identifiable patient information stored on the portable device and not “adopting and implementing policies and procedures to restrict access to ePHI to authorized users of portable devices.” The acronym ePHI refers to electronic protected health information. “In an age when health information is stored and transported on portable devices such as laptops, tablets and mobile phones, special attention must be paid to safeguarding the information held on these devices,” Office for Civil Rights Director Leon Rodriguez said in a news release. “This enforcement action emphasizes that compliance with the HIPAA privacy and security rules must be prioritized by management and implemented throughout an organization, from top to bottom.” Now consider the following, to this date I have not seen any organization that meets 100% of HIPAA Security requirements. Funny thing about it, a lot of the people I talked to don’t really know what are the HIPAA security requirements. Furthermore, I have not heard of anyone that has completed the risk analysis as required by HIPAA Security. I actually have done a few in behalf of some of my clients and I can attest that conducting a risk analysis is nothing short of time consuming and painful if you don’t know what they are talking about. Of course every settlement that I have seen ends with a requirement “to adhere to a corrective action plan” and hired an independent monitor to review actions are taken.