Hospital Pays $850,000 to Resolve Potential HIPAA Violation

By James Swann

Nov. 24 — A Massachusetts hospital reached an $850,000 settlement with the federal government over potential violations of the Health Insurance Portability and Accountability Act involving a stolen laptop, according to a government announcement.

The Health and Human Services Office for Civil Rights said the settlement was the result of an investigation it conducted after Lahey Hospital and Medical Center in Burlington, Mass., reported the theft of a laptop. The OCR's investigation uncovered HIPAA compliance deficiencies, including the lack of an enterprisewide risk analysis.

Lahey reported the stolen laptop to the OCR on Aug. 11, 2011, and said it contained protected health information (PHI) for 599 individuals.

The laptop was stolen from an unlocked room in the middle of the night, the hospital said, and was used to operate and produce images from a portable computerized topography scanner.

After conducting an investigation based on the hospitals' data breach report involving the stolen laptop, the OCR uncovered numerous instances of systemwide HIPAA noncompliance, including the hospital's failure to conduct a risk analysis on all electronic PHI and a failure to safeguard the workstation where the laptop was stolen.

Other deficiencies identified by the OCR included the hospital's inability to track user activity at the workstation as well as the impermissible disclosure of the PHI for 599 individuals stored on the laptop.

The agreement wasn't an admission of liability by Lahey, nor was it a concession by the OCR that Lahey wasn't in violation of the HIPAA rules.

Kirk Nahra, an attorney with Wiley Rein in Washington, told Bloomberg BNA Nov. 24 that the OCR is careful, diligent and thoughtful about these types of cases.

Nahra said the OCR generally acts when there is a really bad problem, a repeated, uncorrected problem or a single problem that uncovers a larger series of issues. Nahra said the Lahey settlement appears to be a case of a single potential breach uncovering multiple additional problems.

The $850,000 penalty was driven by the HIPAA deficiencies discovered by the OCR, Nahra said, not by the laptop theft itself.

“It is essential that covered entities apply appropriate protections to workstations associated with medical devices such as diagnostic or laboratory equipment,” OCR Director Jocelyn Samuels said in a Nov. 24 statement.

Corrective Action Plan

In addition to the $850,000, Lahey agreed to implement a corrective action plan that includes conducting a full risk analysis as well as developing a risk management plan.

Lahey will be required to submit both the risk analysis and the risk management plan to the OCR for review and approval. Once approved, Lahey will have to develop written policies and procedures that cover maintaining a record of the removal of any hardware that includes electronic PHI as well as making sure that all hardware containing electronic PHI is registered with the hospital's information services department.

Lahey also will be responsible for training employees with access to electronic PHI on the new policies and procedures.

The corrective action plan became operational on Nov. 19, when the settlement agreement was signed, and will last for two years, unless Lahey breaches the plan.

To contact the reporter on this story: James Swann in Washington at

To contact the editor responsible for this story: Nancy Simmons at

For More Information