Wagner Header

The Wagner Law Group Description 

The Wagner Law Group, A Professional Corporation, is a nationally recognized ERISA & employee benefits, estate planning, employment, labor & human resources practice. 

 

Established in 1996, The Wagner Law Group has 22 attorneys engaged exclusively in employee benefits, estate planning and employment law. Five of our attorneys are AV rated by Martindale-Hubbell as having very high to preeminent legal abilities and ethical standards. The firm is among the largest ERISA boutiques in the country. Our practice is national in scope, with clients in more than 40 states and several foreign countries.

 

 

 

 

 

Contact Info

The Wagner Law Group

 

Massachusetts Office 

Tel: (617) 357-5200 

Fax: (617) 357-5250 

99 Summer Street 

13th Floor

Boston, MA 02110


Florida Office 

Tel: (561) 293-3590
Fax: (561) 293-3591
7121 Fairway Drive
Suite 203
Palm Beach Gardens, FL 33418

 

New York Office

Tel: (716) 650-5987

Fax: (716) 633-0301

333 International Drive

Suite B-4

Williamsville, NY 14221

 

San Francisco Office

Tel: (415) 625-0002

Fax: (415) 829-4385

315 Montgomery Street

Suite 902

San Francisco, CA 94104

 

www.wagnerlawgroup.com

 

 

 

 

October 18, 2012 

 State and Federal Law Alert

 

 

 

Theft of Unencrypted Laptop Results in $1.5 Million HIPAA Security Rule Settlement

 

 

 

The U.S. Department of Health and Human Services ("HHS") recently announced that a HIPAA "covered entity" has agreed to pay $1.5 million and enter into a three-year Corrective Action Plan ("CAP") to settle alleged violations of the HIPAA Security Rule.

 

Under HIPAA, covered entities include group health plans, insurers and health care providers. The Security Rule protects health information in electronic form ("ePHI") by requiring covered entities to adopt and implement physical, technical and administrative safeguards to ensure that ePHI remains private and secure.

 

The violation occurred when an unencrypted personal laptop that belonged to one of the covered entity's employees was stolen. The laptop contained ePHI for approximately 3,500 patients and research subjects, including names, e-mail addresses, dates of birth, prescriptions and medical histories. As required by the HITECH Breach Notification Rule, the covered entity reported the breach to the affected patients and research subjects, as well as to HHS.

 

HHS's Office of Civil Rights ("OCR") proceeded to investigate the breach and found that the covered entity had failed to comply with certain Security Rule requirements. OCR concluded that the covered entity had failed to: (i) implement security measures to ensure that ePHI stored on portable devices was kept confidential; (ii) conduct a thorough risk assessment analysis of the vulnerabilities of ePHI stored on portable devices; and (iii) adopt and implement policies and procedures to address identification, reporting, and response to "security incidents." OCR also said these failures had continued over an extended period of time, thus demonstrating the covered entity's long-term organizational disregard for the Security Rule.

 

The CAP requires the covered entity to review, revise and maintain policies and procedures to ensure compliance with the Security Rule. Moreover, an independent monitor will verify the covered entity's compliance with the CAP through unannounced site visits and report its findings to HHS semi-annually for a period of three years.

 

The use of portable devices is becoming increasingly commonplace in the health care industry. Therefore, covered entities (and their business associates) must be vigilant in monitoring potential risks to their ePHI and, when appropriate, update their policies and procedures for securing ePHI. To ensure complete compliance with the highly technical and complex requirements of the HIPAA Privacy and Security Rules, covered entities should also consult with qualified counsel.

 

 

 

 

This Newsletter is protected by copyright. Material appearing herein may be reproduced with appropriate credit.

  

Pursuant to Internal Revenue Service Circular 230, we hereby inform you that any advice set forth herein with respect to US federal tax issues is not intended or written by The Wagner Law Group to be used and cannot be used, by you or any taxpayer, for the purpose of avoiding penalties that may be imposed on you or any other person under the Internal Revenue Code.

 

This Newsletter is provided for information purposes by The Wagner Law Group to clients and others who may be interested in the subject matter, and may not be relied upon as specific legal advice.  This material is not to be construed as legal advice or legal opinions on specific facts. Under the Rules of the Supreme Judicial Court of Massachusetts, this material may be considered advertising.