Share this article on:
Hartford Hospital and one of its Business Associates, EMC Corporation (EMC), have agreed to a settlement with the Connecticut Office of the Inspector General over the 2012 theft of a laptop computer containing the unencrypted data of 8,883 Connecticut residents. Hartford Hospital and EMC have agreed to a settlement of $90,000 to resolve the incident. The agreement was reached voluntarily, and no admission of liability has been accepted by either party.
EMC was contracted by Hartford Hospital to assist with the completion of a quality improvement project in late December, 2011. The aim of the project was to ultimately reduce avoidable hospital admissions with patients suffering from congestive heart failure. The project required EMC to conduct an analysis of patient data, and EMC was provided with the Protected Health Information of patients for this purpose.
However, on June 25, 2012 an unencrypted laptop computer containing patient data was stolen from the home of an EMC employee. The data does not appear to have been used inappropriately according to Hartford Hospital.
After being notified of the theft a day later, Hartford executed its breach response procedures; notified the Connecticut OIG, the Department of Health and Human Services’ Office for Civil Rights, sent breach notification letters to all affected patients and posted a breach notice on its websites. All requirements of the Health Insurance Portability and Accountability Act’s Breach Notification Rule were completed well within the required timescale.
A number of security measures were implemented following the data breach to reduce the possibility of a similar incident occurring again. Additional compliance training was arranged for the staff, business managers received further training (using a new training module developed post-breach) and affected patients were provided with credit monitoring services to ensure they did not suffer losses. As is the norm following incidents such as this, law enforcement officers were unable to locate the stolen laptop computer and it has not been recovered since.
However, HIPAA Rules were violated as Hartford Hospital failed to obtain a signed Business Associate Agreement with EMC prior to PHI being provided. This has been a requirement since Feb 18, 2010, following the introduction of the HITECH Act. All Business Associates must sign a BAA and agree to comply with the HIPAA Privacy and Security Rule. It was this, and the failure to encrypt data that resulted in a financial penalty being necessary. The settlement was reached as it was in the interest of all parties to resolve the matter.
The settlement also requires Hartford Hospital to continue to monitor compliance with HIPAA and state regulations. Reasonable security policies will be maintained to protect the PHI of patients, and if feasible, PHI will be encrypted on all portable devices. The healthcare provider has also agreed to continue with its program of staff training on privacy and security matters. Periodic assessments of EMCs policies will also be made. Hartford will also ensure that a BAA is in place for all contractors required to come into contact with PHI.
EMC will also encrypt data on portable devices, if feasible and appropriate, and has agreed to take the necessary steps to secure PHI in accordance with HIPAA Rules, in addition to providing training to its employees.
The settlement resolves all issues with the Conn. OIG, but that does not mean this is the end of the story. The OCR will have similarly investigated the incident for alleged HIPAA violations, and may well take the decision to issue a financial penalty of its own. Both the BA and Hartford Hospital could potentially be fined by the OCR for breaching HIPAA Rules.