Lifespan to Pay OCR $1.04M HIPAA Penalty For Unencrypted Laptop Theft

July 28, 2020 - The Office for Civil Rights reached a settlement with Lifespan Health System Affiliated Covered Entity over the theft of an unencrypted laptop in 2017. The Rhode Island entity will pay a $1.04 million civil monetary penalty and agreed to a corrective action plan. 

In April, Lifespan reported the device theft, which occurred when an individual broke into an employee’s vehicle and stole several items. Law enforcement was contacted, and Lifespan launched its own investigation. Officials determined the stolen MacBook was unencrypted and not password protected. 

The employee’s credentials were changed to reduce the chance of unauthorized access. However, the theft could have potentially allowed access to the data of 20,431 patients, as Lifespan determined the employee’s work emails may have been cached in a file on the device’s hard drive. 

The ePHI was tied to patients from across Lifespan’s affiliate providers, including Rhode Island Hospital, its pharmacy, and other retail pharmacies, among others. The compromised data could include patient names, medical record numbers, medication details, and demographic information. The laptop was never recovered. 

The OCR investigation found systemic noncompliance with HIPAA, including failing implement policies and procedures to encrypt electronic protected health information after Lifespan determined it would have been reasonable and appropriate. 

READ MORE: OCR Settles with Small Provider for $25K Over Multiple HIPAA Violations

Under HIPAA, encryption is seen as an addressable element, rather than a requirement. But that does not mean encryption can be ignored. The regulation requires providers to determine the appropriate privacy and security measures that will benefit their workflow, while keeping data protected. 

“[HIPAA] permits covered entities to determine whether the addressable implementation specification is reasonable and appropriate for that covered entity. If it is not, the Security Rule allows the covered entity to adopt an alternative measure that achieves the purpose of the standard, if the alternative measure is reasonable and appropriate,” according to HHS. 

OCR also determined Lifespan did not implement policies or procedures to track or inventory all devices that contain ePHI or access the enterprise network. Lifespan lacked device and media controls and also did not have a business associate agreement with its parent entity, Lifespan Corporation and its affiliates. 

“Laptops, cellphones, and other mobile devices are stolen every day, that’s the hard reality,” OCR Director Roger Severino, said in a statement. “Covered entities can best protect their patients’ data by encrypting mobile devices to thwart identity thieves.”  

Lifespan agreed to pay the monetary penalty and to adhere to a corrective action plan that will include two years of monitoring and workforce training. 

READ MORE: COVID-19: OCR Reminds Providers of Media Access Restrictions to PHI

As part of the agreement, Lifespan has 90 days to provide proof of encryption and access controls to the Department of Health and Human Services. The report must include the total number of devices and equipment used to access, store, download, or transmit ePHI. 

The report will also need to detail the total number of covered electronic media encrypted by Lifespan, including the date and evidence of encryption, as well as an estimate of when covered media will be encrypted or the reasons why encryption would not be reasonable and appropriate and the compensating controls implemented to safeguard the ePHI. 

The entity is required to provide HHS with an updated report on its network access controls, including the type of controls and any pending updates to their access control policies and procedures. Lifespan must also create a detailed encryption report, including categories, solutions, and other measures. 

Lifespan will need to revise the policies and procedures around its business associate agreements. That includes creating a standard BAA template and designating one or more individuals responsible for ensuring Lifespan enters into a BAA with each business associate prior to the disclosure of PHI. 

The entity must create a process to assess current and future business relationships to assess which entity is a HIPAA-defined business associate and would require a BAA. The provider must also create a process for negotiating and entering into business associate agreements. 

This is the second OCR settlement announced in the last week, after a lull brought on by the COVID-19 pandemic. Metropolitan Community Health Services settled with OCR for $25,000 on July 23 for multiple HIPAA violations. The penalty accounted for Metro being a Federally Qualified Health Center that provides discounted medical services to underserved populations.