Know what specific policies and procedures the OCR is looking for you to have in place.
Hackers seem to always find new ways of accessing private information, especially when it comes to electronic protected health information (ePHI), and one trend that’s gaining steam is theft of ePHI via medical devices and related radiological equipment. Unfortunately, this type of breach can cost you hundreds of thousands of dollars or more — here’s how one healthcare provider learned this lesson the hard way.
Background: In August 2011, a laptop was stolen from an unlocked treatment room at Lahey Hospital and Medical Center, a nonprofit teaching hospital affiliated with Tufts Medical School in Burlington, Mass., according to a Nov. 25 HHS Office for Civil Rights (OCR) announcement. The laptop was on a stand that accompanied a portable CT scanner, and the laptop operated the scanner, producing radiological images.
The laptop hard drive contained the PHI of 599 individuals. Lahey notified OCR of the theft and resulting HIPAA breach, and then OCR conducted an investigation.
Don’t Make the Same Mistakes
Red flags: OCR’s investigation revealed “widespread noncompliance with the HIPAA Rules,” according to the announcement. Specifically, OCR found that Lahey:
In the settlement that OCR announced on Nov. 25, Lahey must pay $850,000 and adopt a “robust” Corrective Action Plan (CAP) to “address its history of noncompliance with the HIPAA Rules.” Lahey must provide OCR with a comprehensive, enterprise-wide risk analysis and corresponding risk management plan, as well as report certain events and provide evidence of compliance.
What Compliance Looks Like to OCR
Insight: Unfortunately, Lahey’s case is not unique — a Dec. 1 analysis by attorneys Elizabeth Hodge and Thomas Range of Akerman LLP pointed to Cancer care Group, P.C.’s recent settlement agreement, which involved the theft of unencrypted computer server backup media and yielded similar “robust” requirements in its CAP (see “Backup Devices: Learn 3 Crucial Lessons From The Latest Data Breaches,” HICA, Vol. 15, No. 9, page 65).
These cases “demonstrate the OCR’s focus on the importance of risk analysis and device and media control policies,” Hodge and Range cautioned. And in response, the CAP requires Lahey to:
Take These Actions Now
Additionally, Hodge and Range advised that you review these OCR settlement agreements to determine whether your policies and procedures adequately address device security in the OCR’s eyes. Also, do you need to update your organization’s risk analysis due to new risks involving devices that the OCR, the Food and Drug Administration (FDA), and other government agencies have identified, such as hackers’ ability to infiltrate hospital systems through medical devices?
Crucial: Is your risk management plan current? Do you need new policies and procedures to address newly identified risks and vulnerabilities associated with mobile and medical devices? And finally, are your workforce members who access ePHI current with their HIPAA training requirements? The OCR is clearly looking for providers to be compliant with all of these requirements.
Resources: To read the OCR’s Resolution Agreement and CAP with Lahey, go to www.hhs.gov/ocr/privacy/hipaa/ enforcement/examples/Lahey.html. A guidance document on how to protect and secure ePHI when using mobile devices is available at www.healthit.gov/providers-professionals/your-mobile-device-and-health-information-privacy-and-security.