The Rhode Island non-profit health system, Lifespan Health System Affiliated Covered Entity (Lifespan), has been fined $1,040,000 by the Department of Health and Human Services’ Office for Civil Rights for violations of the Health Insurance Portability and Accountability Act (HIPAA) Rules. Had HIPAA Rules been followed, a data breach of 20,431 healthcare records would have been avoided.
Lifespan was investigated by OCR following the submission of a breach report advising OCR that a laptop computer containing patient information had been stolen from the vehicle of one of its employees. HIPAA has a provision that requires HIPAA-covered entities to encrypt devices containing electronic protected health information (ePHI) if it is reasonable and appropriate to do so given the level of risk. If encryption is not implemented, alternate security measures can be implemented if they provide an equivalent level of protection.
Lifespan had conducted a risk analysis and determined that encryption was reasonable and appropriate given the level of risk to the confidentiality, integrity, and availability of ePHI, yet failed to implement encryption or an alternate safeguard. OCR also found that Lifespan had not created a full inventory of devices that connect to networks containing ePHI, and policies and procedures had not been implemented to track portable electronic devices.
HIPAA-covered entities can work with other HIPAA covered entities and vendors but must enter into a contract called a business associate agreement prior to disclosing ePHI. Lifespan had not entered into such an agreement with its affiliated healthcare providers, of which there were many, neither with its parent company and business associate, Lifespan Corporation.
As a direct result of some of the compliance failures there was an impermissible disclosure of the ePHI of 20,431 individuals when the laptop was stolen, which is also a violation of the HIPAA Rules.
OCR determined there was “systemic noncompliance with the HIPAA Rules” which warranted a financial penalty. Lifespan settled the case with no admission of liability and paid the financial penalty. Lifespan has also adopted a corrective action plan to address all aspects of noncompliance.
“Laptops, cellphones, and other mobile devices are stolen every day, that’s the hard reality. Covered entities can best protect their patients’ data by encrypting mobile devices to thwart identity thieves,” said Roger Severino, OCR Director.