Following a data breach that occurred back in 2011, the HHS has revealed that Lahey Hospital and Medical Center has agreed to settle a case with the Office for Civil Rights (OCR) over alleged HIPAA violations for $850,000.
Lahey Hospital and Medical Center has agreed to settle the case without admission of liability. The nonprofit teaching hospital has also agreed to implement the OCRs corrective action plan to address HIPAA-compliance problems discovered by OCR investigators. The settlement includes six ‘potential’ violations of HIPAA Rules, specifically the failure to implement appropriate administrative and physical measures to prevent the accidental disclosure of ePHI.
The incident which led to the OCR review involved the theft of an unencrypted laptop computer that had been left in an unlocked treatment room at the hospital. The laptop stored data recorded from one of the medical center’s CT scanners. The laptop contained ePHi of 599 patients.
A financial penalty was deemed appropriate for the violations of HIPAA Rules that the OCR alleges contributed to privacy breach, not due to the actual laptop theft. The OCR investigation showed a number of fundamental non-compliance issues. Had the hospital implemented controls to protect equipment and data, as required by the Health Insurance Portability and Accountability Act, it is probable that the data breach would have been stopped.
When the OCR reviews data breaches, healthcare providers are often found to have violated the HIPAA Security Rule by failing to conduct a comprehensive risk assessment. This was he case when OCR investigators assessed Lahey Hospital’s HIPAA-compliance attempts.
If a thorough risk assessment been carried out, the hospital would have found there was a high risk of equipment being stolen from its facilities. Furthermore, the theft of equipment was likely to lead to the exposure of ePHI.
The OCR found there was a lack of physical security measures in place at the hospital. The laptop was not encrypted, and was not placed under lock and key. It was left in an unlocked room reachable via a main access corridor. Since the laptop computer was used to access medical data, security controls should have been implemented to limit who was able to access patient data via the device. Investigators found that 45 C.F.R. § 164.312(a)(2)(i) had been violated, as a unique user name was not required for data to be viewed. As a result, any user who accessed ePHI via the device could not be tracked, and no mechanism was in place to examine the device to periodically check ePHI access attempts.
A failure to put in place protections under 45 C.F.R. § 164.310(d)(1) to control the movement of equipment used to store ePHI was also discovered. As a result of the weaknesses in the hospital’s HIPAA-compliance program, patient privacy was violated, and the ePHI of 599 patients was exposed without permission.
The corrective action plan states Lahey Hospital must conduct a full, thorough, organization-wide security risk assessment to determine whether any weaknesses exist that could be exploited by insiders or external parties to gain access to ePHI and physical records. A risk management plan must also be formulated to deal with any risks discovered during the risk assessment. The hospital has been given 270 days to conduct its analysis and submit its management plan to the OCR.
During the next 90 days the hospital must develop policies and strategies to control the issuing of equipment used to store ePHI, and its removal from the premises. Policies must be written and put in place to ensure ePHI access logs are maintained and regularly reviewed. Additional training must also be given to members of staff required to come into contact with ePHI as part of their working duties.
The nonprofit teaching hospital in Burlington, Massachusetts, is partnered with Tufts Medical School. The hospital provides both primary and specialty care, and employs over 5,000 nurses and 500 physicians. Over 737,000 patients received medical services at the hospital in 2014. The full resolution agreement and CAP can be downloaded here.