On November 19, 2015, Lahey Hospital and Medical Center (“Lahey”) entered into an $850,000 settlement with the U.S. Department of Health and Human Services (“HHS”), Office for Civil Rights (“OCR”) for alleged violations of the Health Insurance Portability and Accountability Act of 1996 or “HIPAA”. As part of the settlement, Lahey must adopt a robust corrective action plan, which became operational on November 19, 2015, and will last for two years.
The settlement reinforces the importance of conducting HIPAA risk assessments with respect to the individually identifiable information in electronic form that is protected by HIPAA, referred to as “electronic protected health information” or “ePHI.” The settlement also underscores that covered entities must timely identify and respond to security incidents, and promptly mitigate any harmful effects. In addition, the settlement highlights the critical nature of physical workstation security, in particular where health care delivery involves the use of portable devices that store ePHI, and the value of employing technical solutions that encrypt data at rest that is stored on portable devices.
Lahey, a nonprofit teaching hospital in Burlington, Massachusetts, first reported a laptop theft to HHS on October 11, 2011. The laptop was used in connection with a computerized tomography (“CT”) scanner and was taken from an unlocked treatment room off the inner corridor of Lahey’s Radiology Department. The laptop contained the unsecured ePHI of 599 individuals.
In November 2011, OCR notified Lahey of OCR’s investigation regarding compliance with HIPAA. OCR regularly investigates security breaches, but not all result in financial payouts. Here, however, OCR alleged serious deficiencies in Lahey’s HIPAA compliance program, specifically:
- Failure to conduct a thorough risk analysis of all its ePHI;
- Failure to physically safeguard a workstation that assessed ePHI;
- Failure to implement and maintain policies and procedures regarding the safeguarding of ePHI maintained on workstations utilized in connection with diagnosis/laboratory equipment;
- Lack of a unique user name for identifying and tracking user identity with respect to the workstation at issue;
- Failure to implement procedures that recorded and examined activity in the workstation at issue; and
- Impermissible disclosure of 599 individuals’ PHI.
In addition to the $850,000 settlement payment, Lahey entered into and agreed to comply with a two-year corrective action plan (“CAP”). Under the CAP, Lahey must conduct a comprehensive, organization-wide risk analysis of the security risks and vulnerabilities regarding its ePHI, and the resulting risk management plan must be approved by HHS. Lahey must also adopt written HIPAA policies and procedures that must also be approved by HHS. The CAP further requires Lahey to provide specific training to all workforce members who have access to and use ePHI, and to report to HHS if it determines that any members of its workforce have failed to comply with Lahey’s HIPAA policies and procedures during the two-year term of the CAP.
This settlement is just one of the most recent OCR HIPAA settlements this year. For example, on August 31, 2015, Indiana-based Cancer Care Group, P.C. agreed to a $750,000 settlement with OCR following the theft of a laptop bag containing a laptop computer and unencrypted backup media from an employee’s car.
The Lahey settlement payment and CAP demonstrates the importance of implementing and maintaining robust operations to reduce the risk of disclosing ePHI. It underscores the value of taking a close look at physical security for workstations, and using appropriate technical solutions to encrypt data at rest on portable devices.