On November 19, 2015, Lahey Hospital and Medical Center (“Lahey”) entered into an $850,000 settlement with the U.S. Department of Health and Human Services (“HHS”), Office for Civil Rights (“OCR”) for alleged violations of the Health Insurance Portability and Accountability Act of 1996 or “HIPAA”. As part of the settlement, Lahey must adopt a robust corrective action plan, which became operational on November 19, 2015, and will last for two years.

The settlement reinforces the importance of conducting HIPAA risk assessments with respect to the individually identifiable information in electronic form that is protected by HIPAA, referred to as “electronic protected health information” or “ePHI.”  The settlement also underscores that covered entities must timely identify and respond to security incidents, and promptly mitigate any harmful effects. In addition, the settlement highlights the critical nature of physical workstation security, in particular where health care delivery involves the use of portable devices that store ePHI, and the value of employing technical solutions that encrypt data at rest that is stored on portable devices.

Lahey, a nonprofit teaching hospital in Burlington, Massachusetts, first reported a laptop theft to HHS on October 11, 2011. The laptop was used in connection with a computerized tomography (“CT”) scanner and was taken from an unlocked treatment room off the inner corridor of Lahey’s Radiology Department. The laptop contained the unsecured ePHI of 599 individuals.

In November 2011, OCR notified Lahey of OCR’s investigation regarding compliance with HIPAA. OCR regularly investigates security breaches, but not all result in financial payouts. Here, however, OCR alleged serious deficiencies in Lahey’s HIPAA compliance program, specifically:

  1. Failure to conduct a thorough risk analysis of all its ePHI;
  2. Failure to physically safeguard a workstation that assessed ePHI;
  3. Failure to implement and maintain policies and procedures regarding the safeguarding of ePHI maintained on workstations utilized in connection with diagnosis/laboratory equipment;
  4. Lack of a unique user name for identifying and tracking user identity with respect to the workstation at issue;
  5. Failure to implement procedures that recorded and examined activity in the workstation at issue; and
  6. Impermissible disclosure of 599 individuals’ PHI.

In addition to the $850,000 settlement payment, Lahey entered into and agreed to comply with a two-year corrective action plan (“CAP”). Under the CAP, Lahey must conduct a comprehensive, organization-wide risk analysis of the security risks and vulnerabilities regarding its ePHI, and the resulting risk management plan must be approved by HHS.  Lahey must also adopt written HIPAA policies and procedures that must also be approved by HHS. The CAP further requires Lahey to provide specific training to all workforce members who have access to and use ePHI, and to report to HHS if it determines that any members of its workforce have failed to comply with Lahey’s HIPAA policies and procedures during the two-year term of the CAP.

This settlement is just one of the most recent OCR HIPAA settlements this year. For example,  on August 31, 2015, Indiana-based Cancer Care Group, P.C. agreed to a $750,000 settlement with OCR following the theft of a laptop bag containing a laptop computer and unencrypted backup media from an employee’s car.

The Lahey settlement payment and CAP demonstrates the importance of implementing and maintaining robust operations to reduce the risk of disclosing ePHI.  It underscores the value of taking a close look at physical security for workstations, and using appropriate technical solutions to encrypt data at rest on portable devices.

Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Ellen H. Moskowitz Ellen H. Moskowitz

Ellen is a senior counsel in the Corporate Department and a member of the Health Care Group. She assists clients in the health care, life sciences, sports and non-profit industries.

Ellen advises on complex health care regulatory matters, health privacy and data security…

Ellen is a senior counsel in the Corporate Department and a member of the Health Care Group. She assists clients in the health care, life sciences, sports and non-profit industries.

Ellen advises on complex health care regulatory matters, health privacy and data security issues, and health-related labor and employment matters.  Her work with social services and charitable organizations particularly focuses on corporate governance matters.  Ellen’s clients are diverse, spanning hospital systems, physician groups and other health care providers and associations, health technology companies, social services and charitable organizations, professional sports leagues, pharmaceutical and medical device companies, private equity firms, health plans, health management companies, and tissue banks and organ procurement organizations.

Ellen is accredited by the International Association of Privacy Professionals as a certified information privacy professional in the U.S. private sector. She has written and lectured widely on health care law, policy and ethics.

Before joining Proskauer, Ellen was an associate for law with The Hastings Center, a private, nonpartisan education and research institute that examines ethical and policy issues in medicine, health and the environment. She also has served as associate counsel to the New York State Task Force on Life and the Law, a state law reform commission, where she helped to develop laws and regulations on care of the dying, organ transplantation and assisted reproduction.