- Lahey Clinic Hospital, Inc. (Lahey) agreed to an OCR HIPAA settlement that stemmed from a 2011 incident where an unencrypted laptop was stolen, potentially compromising the PHI of 599 individuals.
Lahey was fined $850,000 as part of the settlement and must also enter into a Corrective Action Plan (CAP), which includes “a comprehensive, organization-wide risk analysis of the security risks and vulnerabilities to the ePHI created, received, maintained or transmitted by Lahey.”
HHS was notified of the laptop theft on October 11, 2011. The device was reportedly taken from an unlocked treatment room “off of the inner corridor” in the hospital’s radiology department.
The OCR investigation found that Lahey failed to implement the necessary physical safeguards for a workstation that houses ePHI, and that it “failed to conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI as part of its security management process.”
OCR also reported the following results from its investigation:
- With respect to the workstation, Lahey failed to implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain ePHI into and out of its facility, and the movement of these items within its facility
- Lahey failed to assign a unique user name for identifying and tracking user identity with respect to the aforementioned workstation
- Lahey did not implement a mechanism to record and examine activity on the workstation at issue in this breach
- Lahey impermissibly disclosed the ePHI of 599 individuals for a purpose not permitted by the Privacy Rule
- Lahey must also provide proper training to workforce members who access ePHI, ensuring that they are aware of all policy and procedures in place to keep it safe.
Any information systems or workstations that contain or maintain ePHI must have the necessary hardware, software, and/or procedural mechanisms that record and examine activity, according to OCR. Moreover, Lahey must also keep a record of the “receipt, removal, and disposition of hardware and electronic media that maintain ePHI into and out of” the hospital, as well as the movements within the facility.
The OCR HIPAA settlement dictates that Lahey also needs to “develop a risk management plan to address and mitigate any security risks and vulnerabilities following the risk analysis.” The risk analysis report must be sent to HHS within 270 days of Lahey being asked to send it, OCR writes.
“Upon receiving HHS’s notice of required revisions, if any, Lahey shall have ninety (90) days to revise the risk analysis and risk management plan accordingly and forward to HHS for review and approval,” the settlement reads.
This is just the most recent of OCR HIPAA settlements this year. In September, Indiana-based Cancer Care Group, P.C. agreed to a $750,000 settlement with OCR, following the investigation of a 2012 incident.
In that case, Cancer Care had a laptop bag containing a laptop computer and unencrypted backup media stolen from an employee’s car. Approximately 55,000 current and former Cancer Care patients were potentially affected.
“Organizations must complete a comprehensive risk analysis and establish strong policies and procedures to protect patients’ health information,” OCR Director Jocelyn Samuels said in a statement. “Further, proper encryption of mobile devices and electronic media reduces the likelihood of a breach of protected health information.”