Health Law Gurus

Hospital’s Turkey Dinner Is $850,000 Fine for Failure to Secure Mobile Medical Devices

Just before Thanksgiving, Lahey Hospital and Medical Center (“Lahey”), a non-profit teaching hospital located in Burlington, Massachusetts, agreed to pay $850,000 for a breach of unsecured electronic protected health information (“ePHI”). Lahey will also be required to implement a corrective action plan.

The breach occurred in 2011 when an unencrypted laptop was stolen from an unlocked treatment room. The laptop, which was used in connection with a portable CT scanner, contained the protected health information (“PHI”) of approximately 599 individuals.

OCR opened an investigation and identified several specific areas in which Lahey was lacking in HIPAA compliance, including the following:

• Failure to conduct a thorough risk analysis of all PHI;
• Failure to physically safeguard a workstation that accessed PHI;
• Failure to implement and maintain policies and procedures regarding the safeguarding of ePHI maintained on workstations utilized in connection with diagnostic/laboratory equipment;
• Lack of a unique user name for identifying and tracking user identity with respect to the workstation at issue in this incident;
• Failure to implement procedures that recorded and examined activity in the workstation at issue in this incident; and
• Impermissible disclosure of 599 individuals’ PHI.

Lahey’s settlement with the Office for Civil Rights (“OCR”) serves as an important reminder for covered entities that mobile devices need to be considered in a risk analysis. In the U.S. Department of Health & Human Services press release, OCR Director Jocelyn Samuels states that “[b]ecause these workstations often contain ePHI and are highly portable, such ePHI must be considered during an entity’s risk analysis, and entities must ensure that necessary safeguards that conform to HIPAA’s standards are in place.”

Ms. Samuels further emphasizes that “[i]t is essential that covered entities apply appropriate protections to workstations associated with medical devices such as diagnostic or laboratory equipment.”

With a new year approaching and OCR HIPAA audits just around the corner, now is the time to re-evaluate your organization’s HIPAA compliance program. Here are some of the questions that you should ask yourself:

• Have you conducted a risk analysis?
• If you have, has your risk analysis been updated recently?
• Do you have a risk management program that addresses existing and new threats to PHI?
• Do you have policies and procedures in place to address threats to PHI?
• When was the last time your employees were trained in HIPAA compliance, and are your employees familiar with all of your organization’s policies and procedures?
• Have you addressed mobile device security in your risk analysis?
• Do you encrypt devices as well as any transmissions of information involving PHI?
• Are your business associates committed to HIPAA compliance?

The Health Law Gurus™ will continue to monitor OCR HIPAA settlements. Please check back with us for updates and helpful tips for improving your organization’s HIPAA compliance.

To read a full copy of the Resolution Agreement and Corrective Action Plan, click here.

To read a copy of the press release click here.