Remember, criminals don't have to actually use your patients' private health information for you to rack up major HIPAA breach fines. Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates Inc. (MEEI) has agreed to pay the U.S. Department of Health and Human Services $1.5 million to settle potential violations of the HIPAA Security Rule, HHS says in a release. MEEI had earlier reported the theft of an unencrypted personal laptop containing the electronic protected health information (ePHI), including prescriptions and clinical information, of MEEI patients and research subjects. "Necessary steps to comply with certain requirements of the Security Rule, such as conducting a thorough analysis of the risk to the confidentiality of ePHI maintained on portable devices, implementing security measures sufficient to ensure the confidentiality of ePHI that MEEI created, maintained, and transmitted using portable devices," were not taken by MEEI according to the HHS Office for Civil Rights investigation. MEEI "also agreed to take corrective action to improve policies and procedures to safeguard the privacy and security of its patients' protected health information," the release adds.