The day before Thanksgiving, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced the largest resolution agreement of 2015, against Lahey Hospital and Medical Center (Lahey). The incident giving rise to the $850,000 settlement was apparently an isolated theft involving 599 patients with electronic protected health information (ePHI) on a radiology laptop used for CT scans in an unlocked treatment room.
As with all investigations conducted by OCR following a reported breach, OCR identified several areas where the hospital purportedly failed to comply with HIPAA:
- Failure to conduct a thorough risk analysis of all of its ePHI
- Failure to physically safeguard a workstation that accessed ePHI
- Failure to implement and maintain policies and procedures regarding the safeguarding of ePHI maintained on workstations utilized in connection with diagnostic/laboratory equipment
- Lack of a unique user name for identifying and tracking user identity with respect to the workstation at issue in this incident
- Failure to implement procedures that recorded and examined activity in the workstation at issue in this incident
- Impermissible disclosure of 599 individuals’ PHI
Moreover, in addition to the payment of the settlement amount, OCR has in place a two-year corrective action plan (CAP), which requires the hospital to conduct an enterprisewide risk analysis, enhance policy procedures and training, and report policy violations (not just breaches) to OCR for review. Oftentimes the CAP is the most difficult piece of the settlement to address because it sometimes goes beyond what HIPAA actually requires.
After working with clients through over 100 breach investigations by OCR, we have identified several areas that have consistently remained “hot buttons” since the implementation of HITECH in 2009:
- Mobile device and transmission security.
- Device Inventory, Tracking, and Monitoring
- Facility Security and Theft Prevention
- Risk Analyses and risk management/mitigation plans.
- Third-party access to PHI (Business Associates).
- Staff education and sanctions.
Additionally, there has been a recent focus on safeguards in place to help mitigate or prevent cyberattacks, which include:
- Intrusion Detection Software
- Antivirus Software
- Access Controls
Don’t wait until you are in the crosshairs of OCR during a breach investigation to address and document these activities. Additional guidance from HHS on how to protect ePHI on mobile devices can be found here.