release116 announcing that the Massachusetts Eye and Ear Infirmary (MEEI)
entered into a $1.5 million resolution agreement following the theft of an
unencrypted personal laptop containing the PHI of MEEI patients and
research subjects, including patient prescriptions and clinical information.117
Likewise, on February 24, 2011, Massachusetts General Hospital entered into
a $1 million resolution agreement after an employee accidentally left
documents containing the PHI of 192 infectious disease patients, including
some individuals diagnosed with HIV, on the subway while commuting to
In summary, mobile devices and portable records continue to challenge
Privacy Rule compliance. Workforce members are only human and
occasionally a workforce member will drop or leave behind a device or
record that contains PHI. Covered entities need to anticipate these accidental
behaviors by: ( 1) conducting risk analyses associated with mobile devices
and portable records; ( 2) implementing physical safeguards for laptops and
other mobile devices and portable records containing PHI that would restrict
access by unauthorized users; and ( 3) encrypt PHI contained on laptops and
other mobile devices.119
This Article has summarized the history of the Privacy Rule, reviewed the
Privacy Rule’s theory of and approach to health information confidentiality,
and identified three themes relating to Privacy Rule compliance.
First, some Privacy Rule provisions are too complex to be operationalized.
Covered entities with the financial means to do so can hire outside counsel
116. See Press Release, U.S. Dep’t of Health & Human Servs. Press Office,
Massachusetts Provider Settles HIPAA Case for $1.5 Million (Sept. 17, 2012),
http://www.hhs.gov/news/press/2012pres/09/20120917a.html [ https://wayback.archive-
(announcing the settlement).
117. See Resolution Agreement Between HHS and Massachusetts Eye and Ear Infirmary,
http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/enforcement/examples/meei-agreement-pdf.pdf (last visited September 20, 2016).
118. See Resolution Agreement Between HHS and Massachusetts General Hospital,
HHS.GOV (Feb. 24, 2011)
119. See, e.g., 45 C.F.R. § 164.530(c)( 1) (2016) (“ A covered entity must have in place
appropriate administrative, technical, and physical safeguards to protect the privacy of
protected health information.”); id. § 164.306(a)( 2), ( 3), and ( 4) (requiring covered entities to
protect against “reasonably anticipated threats or hazards to the security or integrity of such
information” “reasonably anticipated uses or disclosures of such information that are not
permitted or required” by the Privacy Rule and to “[e]nsure compliance with the Security Rule
by its workforce”).