By James Swann
Nov. 24 — A Massachusetts hospital reached an $850,000 settlement with the federal government over potential violations of the Health Insurance Portability and Accountability Act involving a stolen laptop, according to a government announcement.
The Health and Human Services Office for Civil Rights said the settlement was the result of an investigation it conducted after Lahey Hospital and Medical Center in Burlington, Mass., reported the theft of a laptop. The OCR's investigation uncovered HIPAA compliance deficiencies, including the lack of an enterprisewide risk analysis.
Lahey reported the stolen laptop to the OCR on Aug. 11, 2011, and said it contained protected health information (PHI) for 599 individuals.
The laptop was stolen from an unlocked room in the middle of the night, the hospital said, and was used to operate and produce images from a portable computerized topography scanner.
After conducting an investigation based on the hospitals' data breach report involving the stolen laptop, the OCR uncovered numerous instances of systemwide HIPAA noncompliance, including the hospital's failure to conduct a risk analysis on all electronic PHI and a failure to safeguard the workstation where the laptop was stolen.
Other deficiencies identified by the OCR included the hospital's inability to track user activity at the workstation as well as the impermissible disclosure of the PHI for 599 individuals stored on the laptop.
The agreement wasn't an admission of liability by Lahey, nor was it a concession by the OCR that Lahey wasn't in violation of the HIPAA rules.
Kirk Nahra, an attorney with Wiley Rein in Washington, told Bloomberg BNA Nov. 24 that the OCR is careful, diligent and thoughtful about these types of cases.
Nahra said the OCR generally acts when there is a really bad problem, a repeated, uncorrected problem or a single problem that uncovers a larger series of issues. Nahra said the Lahey settlement appears to be a case of a single potential breach uncovering multiple additional problems.
The $850,000 penalty was driven by the HIPAA deficiencies discovered by the OCR, Nahra said, not by the laptop theft itself.
“It is essential that covered entities apply appropriate protections to workstations associated with medical devices such as diagnostic or laboratory equipment,” OCR Director Jocelyn Samuels said in a Nov. 24 statement.
In addition to the $850,000, Lahey agreed to implement a corrective action plan that includes conducting a full risk analysis as well as developing a risk management plan.
Lahey will be required to submit both the risk analysis and the risk management plan to the OCR for review and approval. Once approved, Lahey will have to develop written policies and procedures that cover maintaining a record of the removal of any hardware that includes electronic PHI as well as making sure that all hardware containing electronic PHI is registered with the hospital's information services department.
Lahey also will be responsible for training employees with access to electronic PHI on the new policies and procedures.
The corrective action plan became operational on Nov. 19, when the settlement agreement was signed, and will last for two years, unless Lahey breaches the plan.
To contact the reporter on this story: James Swann in Washington at email@example.com
To contact the editor responsible for this story: Nancy Simmons at firstname.lastname@example.org
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)