OCR Settlement Reached with Lahey Hospital

The HHS has announced that Lahey Hospital and Medical Center has agreed to settle a case with the Office for Civil Rights (OCR) over alleged HIPAA violations following a data breach that occurred back in October, 2011.

Lahey Hospital and Medical Center has agreed to pay $850,000 to settle the case without admission of liability. The nonprofit teaching hospital has also agreed to adopt the OCRs corrective action plan to address HIPAA-compliance issues discovered by OCR investigators. The settlement covers six ‘potential’ violations of HIPAA Rules, specifically the failure to implement appropriate administrative and physical controls to prevent the accidental disclosure of ePHI.

Failure to Safeguard ePHI Results in $850,000 Settlement

The incident which led to the OCR investigation involved the theft of an unencrypted laptop computer that had been left in an unlocked treatment room at the hospital. The laptop contained data recorded from one of the medical center’s CT scanners.  The laptop contained electronic Protected Health Information of 599 patients.

A financial penalty was appropriate not because of the actual laptop theft, but for the violations of HIPAA Rules that the OCR alleges contributed to privacy breach. The OCR investigation revealed a number of fundamental non-compliance issues. Had the hospital implemented controls to safeguard equipment and data, as required by the Health Insurance Portability and Accountability Act, it is probable that the data breach would have been prevented.

When the OCR investigates data breaches, healthcare providers are often discovered to have violated the HIPAA Security Rule by failing to conduct a comprehensive risk assessment. This was found to be the case when OCR investigators assessed Lahey Hospital’s HIPAA-compliance efforts.

Had a thorough risk assessment been conducted, the hospital would have determined there was a high risk of equipment being stolen from its facilities. Furthermore, the theft of equipment was likely to result in the exposure of ePHI.

The OCR discovered there was a lack of physical security controls in place at the hospital. The laptop was not encrypted, and was not secured under lock and key. It was left in an unlocked room off of a main access corridor.  Since the laptop computer was used to access medical data, controls should have been implemented to limit who was able to access patient data via the device. Investigators determined that 45 C.F.R. § 164.312(a)(2)(i) had been violated, as a unique user name was not required for data to be accessed. As a result, any user who accessed ePHI via the device could not be tracked, and no mechanism existed to examine the device to periodically check ePHI access attempts.

A failure to implement protections under 45 C.F.R. § 164.310(d)(1) to control the movement of equipment used to store ePHI was also discovered. As a result of the deficiencies in the hospital’s HIPAA-compliance program, patient privacy was violated, and the ePHI of 599 patients was impermissibly exposed.

The corrective action plan requires Lahey Hospital to conduct a full, thorough, organization-wide security risk assessment to determine whether any vulnerabilities exist that could be exploited by insiders or external parties to gain access to ePHI and physical records. A risk management plan must also be developed to deal with any risks discovered during the risk assessment. The hospital has been allowed 270 days to conduct its analysis and submit its management plan to the OCR.

During the next 90 days the hospital must develop policies and procedures to control the issuing of equipment used to store ePHI, and its removal from the premises. Policies must be written and put in place to ensure ePHI access logs are maintained and regularly checked. Additional training must also be provided to members of staff required to come into contact with ePHI as part of their working duties.

The nonprofit teaching hospital in Burlington, Massachusetts, is associated with Tufts Medical School. The hospital provides both primary and specialty care, and employs over 5,000 nurses and 500 physicians. Over 737,000 patients received medical services at the hospital last year. The full resolution agreement and CAP can be viewed on this link.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.