The Department of Health and Human Services’ Office for Civil Rights (OCR) has reached a settlement with Lahey Hospital and Medical Center following an investigation into potential HIPAA violations. The Burlington, Mass. hospital has decided to settle the OCR’s case without admission of liability. The Lahey Hospital HIPAA breach settlement relates to the impermissible disclosure of Protected Health Information of 599 patients in October, 2011.
The incident that led to the OCR case involved the theft of a laptop computer associated with a portable computed tomography (CT) scanner. The laptop was used to operate the device and record and store medical images via the hospital’s Radiology Information System and Picture Archiving and Communication System. The laptop computer was stolen from the hospital premises.
Lahey Hospital HIPAA Breach Settlement of $850,000 Agreed with OCR
A breach of 599 patient records may seem fairly minor in light of the recent mega data breaches suffered by health insurers, healthcare providers, and business associates of covered entities so far in 2015. However, the sizable Lahey Hospital HIPAA breach settlement relates not to the number of records exposed – that is considered by OCR when deciding on a penalty – but the seriousness of the HIPAA violations that contributed to the cause of the breach, as well as other violations of HIPAA rules uncovered by investigators.
In this case, upon investigation of the data breach, OCR officials discovered a number of potential violations of HIPAA rules, some of which breached fundamental HIPAA Rules put in place to keep the Protected Health Information of patients secured.
In order to determine whether vulnerabilities exist that could potentially be exploited by malicious insiders or external individuals, a covered entity must conduct a comprehensive risk analysis. The risk analysis must include all systems and equipment used to store ePHI. If any person, system, or software, is required to touch ePHI, it must be included in the risk analysis.
Lahey hospital was discovered not to have accurately conducted a comprehensive risk analysis, and consequently, security vulnerabilities were allowed to remain. Potentially, considerably more than 599 medical records could have been exposed.
Non-Existent Controls to Track ePHI Access
OCR discovered there were no controls in place to determine whether ePHI had been accessed, as a unique username had not been set on the laptop computer stolen from the hospital. This was a violation of 45 C.F.R. § 164.312(a)(2)(i). There were no procedures in place to monitor access and determine whether data were being viewed by unauthorized individuals.
The laptop computer was also left unattended in a room that was not locked. Covered entities must ensure that medical devices and computer equipment used to access or store PHI are physically protected to prevent unauthorized accessing of data.
Robust Action Plan Must be Followed with Strict Reporting Requirements
If an OCR investigation or a HIPAA compliance audit is conducted and HIPAA violations are discovered, OCR will issue a corrective action plan that the covered entity must follow. The action plan covers all areas of HIPAA non-compliance that were discovered. In this case, a robust action plan was issued as part of the Lahey Hospital HIPAA breach settlement with strict reporting requirements to ensure that all outstanding compliance issues are addressed. A comprehensive risk analysis must be conducted, additional safeguards implemented to protect ePHI, and a risk management plan developed to tackle any vulnerabilities discovered by the hospital.
According to OCR Director Jocelyn Samuels, “It is essential that covered entities apply appropriate protections to workstations associated with medical devices such as diagnostic or laboratory equipment.” The settlement should send a message to all covered entities that OCR is rigorously enforcing HIPAA regulations, which apply to all equipment used to store or transmit PHI.