- A PHI data breach that took place in 2012 recently resulted in a Connecticut hospital and one of its contractors having to pay $90,000 to the state.
Hartford Hospital and EMC Corporation both signed an agreement saying they would pay the state $90,000 and also implement more privacy and security measures, such as ensuring they remain HIPAA compliant.
On June 25, 2012, an unencrypted laptop was stolen from an EMC employee’s home, according to the assurance of voluntary compliance (AVC) released by the Connecticut Attorney General. The laptop contained the PHI of 8,883 individuals and has not yet been recovered. EMC notified Hartford Hospital the following day that the laptop had been stolen, which was also when the hospital determined it had never entered into a business associate agreement with EMC.
Per the AVC, Hartford Hospital’s corrective measures primarily focus around future BAAs, including ensuring that all BAAs follow “a Business Associate and Privacy & Information Security Vendor Contract Flowchart to assist business managers in determining when a BAA is required.”
“The Hospital has enhanced annual mandated compliance training for the Hospital workforce to include greater emphasis on the legal obligations relating to business associates and having valid BAAs,” the AVC explained.
Hartford Hospital also has new contract templates for supply chain management and IT agreements that implement HIPAA compliant business associate provisions into their contracts.
It will also be necessary for the hospital to do the following, according to the AVC:
- Comply with applicable HIPAA regulations
- Examine current relationships with BAs ‘that have existing contracts for data analytics involving substantial access to patient data in order to determine’ whether an appropriate BAA is already in place
- Before a security risk assessment, ensure that files or data with PHI are encrypted before it’s transferred or transmitted
- Require employees to certify that they’ve participated in annual privacy training
- Include whether a BAA is needed and in place in all future contract policy audits
- Submit a follow-up report in one year to the attorney general’s office, demonstrating that all corrective action measures and additional training and monitoring have been enacted
EMC must also maintain reasonable procedures in relation to PHI encryption, according to the AVC, and ensure that there are proper security measures in place for employees who store, access, and transfer PHI.
EMC also needs to “provide regular employee training to inform employees who are responsible for handling and/or utilizing PHI in their work about their obligations under the law and EMC’s policies with respect to protecting and securing PHI,” the agreement states.
Finally, EMC is also required to periodically monitor its internal controls related to PHI privacy and security, and make any necessary updates as the need arises.
In addition to potential fines owed to the state where a HIPAA violation took place, healthcare providers and their BAs could also find themselves paying federal fines. As previously reported by HealthITSecurity.com, Cancer Care Group, P.C. agreed to a HIPAA settlement of $750,000 with the Office for Civil Rights (OCR) after a 2012 incident.
In that case, a laptop bag was stolen from an employee’s car, possibly compromising the information of 55,000 individuals.
“Organizations must complete a comprehensive risk analysis and establish strong policies and procedures to protect patients’ health information,” OCR Director Jocelyn Samuels said in a statement. “Further, proper encryption of mobile devices and electronic media reduces the likelihood of a breach of protected health information.”