Following the 2012 theft of a laptop computer containing the unencrypted data of 8,883 Connecticut residents, Hartford Hospital – and one of its Business Associates, EMC Corporation (EMC) – have agreed to a settlement with the Connecticut Office of the Inspector General.
Hartford Hospital and EMC have agreed to a settlement of $90,000 to settle the incident. The agreement was reached voluntarily, and no admission of liability charged to either party.
EMC was employed by Hartford Hospital to assist with the completion of a quality improvement project in late December, 2011. The focus of the project was to ultimately reduce avoidable hospital admissions with patients suffering from congestive heart failure. The project required EMC to complete an analysis of patient data, and EMC was provided with the Protected Health Information of patients to assist with this.
However, on June 25, 2012 an unencrypted laptop computer holding patient data was stolen from the home of an EMC member of staff. The data does not seemto have been used inappropriately according to Hartford Hospital.
After being advised of the theft a day later, Hartford executed its breach response procedures; notified the Connecticut OIG, the Department of Health and Human Services’ Office for Civil Rights, issued breach notification letters to all affected patients and posted a breach announcement on its websites. All requirements of the Health Insurance Portability and Accountability Act’s Breach Notification Rule were adhered to well within the required timescale.
A number of security controls were implemented following the data breach to lessen the possibility of a similar incident occurring again. Additional compliance training was provided for the staff, business managers received further training (using a new training module developed post-breach) and affected patients were provided with credit monitoring services to ensure they did not suffer losses. As is the norm after incidents such as this, law enforcement officers were unable to find the stolen laptop computer and it has not been recovered since.
However, HIPAA Rules were breached as Hartford Hospital failed to obtain a signed Business Associate Agreement with EMC prior to PHI being supplied. This has been a requirement since Feb 18, 2010, after the introduction of the HITECH Act. All Business Associates must sign a BAA and agree to comply with the HIPAA Privacy and Security Rule. It was this, and the failure to encrypt data properly that resulted in a financial penalty being necessary. The settlement was agreed as it was in the interest of all parties to resolve the matter.
The settlement also states that Hartford Hospital to continue to monitor compliance with HIPAA and state regulations. Reasonable security policies will be adhered to in order to protect the PHI of patients, and if feasible, PHI will be encrypted on all portable devices. The healthcare provider has also agreed to persist with its program of staff training on privacy and security matters. Periodic assessments of EMCs policies will also be carried out. Hartford will also ensure that a BAA is in place for all contractors that come into contact with PHI.
EMC will also encrypt data on portable devices, if feasible and appropriate, and has agreed to take the necessary measures to secure PHI in accordance with HIPAA Rules, in addition to providing training to its staff.
The settlement resolves all problems with the Conn. OIG, but that does not mean this is the end of this chapter. The OCR will have similarly reviewed the incident for alleged HIPAA violations, and may well take the decision to issue a financial penalty of its own. Both the BA and Hartford Hospital could possibly be fined by the OCR for breaching HIPAA Rules.