Lack of Encryption & Other HIPAA Flaws Leads to $1m HIPAA Penalty
The HHS’ Office for Civil Rights has sanctioned a $1,040,000 HIPAA fine on Lifespan Health System Affiliated Covered Entity (Lifespan ACE) following the identification of systemic noncompliance with the HIPAA Rules.
Lifespan is a not-for-profit health network located in Rhode Island that has many healthcare provider affiliates in the state. On April 21, 2017, a breach report was submitted to the OCR by Lifespan Corporation, the parent company and business associate of Lifespan ACE, about the stealing of an unencrypted laptop computer on February 25, 2017.
The laptop was in the vehicle of an employee in a public parking lot and was broken into. A laptop was stolen that included information such as patient names, medical record numbers, medication information, and demographic data of 20,431 patients of its healthcare provider partners.
OCR reviewed the breach and discovered systemic noncompliance with the HIPAA Rules. Lifespan ACE uses a range of mobile devices and had conducted a risk analysis to identify potential dangers to the confidentiality, integrity, and availability of ePHI. Through the risk analysis, Lifespan ACE saw that the use of encryption on mobile devices such as laptops was reasonable and appropriate given the level of danger but did not implement encryption. The absence of encryption was a violation of 45 C.F .R. § I 64.312(a)(2)(iv).
OCR also saw that Lifespan ACE had not created policies and procedures that required the tracking of portable devices with access to a network containing ePHI, nor was there a thorough inventory of those devices, in violation of 45 C.F.R. § 164.310(d)(1).
Lifespan Corporation was a business associate of Lifespan ACE, but both entities did not enter into a business associate agreement with each other. Lifespan ACE had also not obtained a signed business associate agreement from its healthcare provider affiliates, in breach of 45 C.F.R. § 164.502(e).
Due to the compliance failures, Lifespan ACE was to blame for the impermissible disclosure of the ePHI of 20,431 individuals when the laptop was stolen – See 45 C.F.R. § 164.502(a).
Lifespan ACE agreed to settle the case, pay the HIPAA fine and implement a thorough corrective action plan (CAP). The CAP requires Lifespan ACE to enter into business associate agreements with its affiliates and parent company, set up an inventory of all electronic devices, implement encryption and configure access controls, and review and amend its policies and procedures with respect to device and media controls. Those policies and processes must be shared to the workforce and training must be provided on the new policies. Lifespan ACE’s compliance efforts will be scrutinized by OCR for the length of the two-year CAP.
Roger Severino, OCR Director said: “Laptops, cellphones, and other mobile devices are stolen every day, that’s the hard reality. Covered entities can best protect their patients’ data by encrypting mobile devices to thwart identity thieves”.
This is the second HIPAA penalty to be made public by OCR in the past week. On July 23, 2020, OCR revealed that the Metropolitan Community Health Services dba Agape Health Services had been fined $25,000 for long term, systemic noncompliance with the HIPAA Security Rule.