Compliance Law Journal

release116 announcing that the Massachusetts Eye and Ear Infirmary (MEEI) entered into a $1.5 million resolution agreement following the theft of an unencrypted personal laptop containing the PHI of MEEI patients and research subjects, including patient prescriptions and clinical information.117 Likewise, on February 24, 2011, Massachusetts General Hospital entered into a $1 million resolution agreement after an employee accidentally left documents containing the PHI of 192 infectious disease patients, including some individuals diagnosed with HIV, on the subway while commuting to work.118

In summary, mobile devices and portable records continue to challenge Privacy Rule compliance. Workforce members are only human and occasionally a workforce member will drop or leave behind a device or record that contains PHI. Covered entities need to anticipate these accidental behaviors by: ( 1) conducting risk analyses associated with mobile devices and portable records; ( 2) implementing physical safeguards for laptops and other mobile devices and portable records containing PHI that would restrict access by unauthorized users; and ( 3) encrypt PHI contained on laptops and other mobile devices.119

CONCLUSION
This Article has summarized the history of the Privacy Rule, reviewed the
Privacy Rule’s theory of and approach to health information confidentiality,
and identified three themes relating to Privacy Rule compliance.

First, some Privacy Rule provisions are too complex to be operationalized. Covered entities with the financial means to do so can hire outside counsel

116. See Press Release, U.S. Dep’t of Health & Human Servs. Press Office, Massachusetts Provider Settles HIPAA Case for $1.5 Million (Sept. 17, 2012), http://www.hhs.gov/news/press/2012pres/09/20120917a.html [ https://wayback.archive- it.org/3926/20150121155313/http:// www.hhs.gov/news/press/2012pres/09/20120917a.html] (announcing the settlement).

117. See Resolution Agreement Between HHS and Massachusetts Eye and Ear Infirmary, HHS.GOV,

http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/enforcement/examples/meei-agreement-pdf.pdf (last visited September 20, 2016).

118. See Resolution Agreement Between HHS and Massachusetts General Hospital, HHS.GOV (Feb. 24, 2011) http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/enforcement/examples/massgeneralr acap.pdf.

119. See, e.g., 45 C.F.R. § 164.530(c)( 1) (2016) (“ A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information.”); id. § 164.306(a)( 2), ( 3), and ( 4) (requiring covered entities to protect against “reasonably anticipated threats or hazards to the security or integrity of such information” “reasonably anticipated uses or disclosures of such information that are not permitted or required” by the Privacy Rule and to “[e]nsure compliance with the Security Rule by its workforce”).