Stolen laptop costs provider $850,000.
Under the law, you have to report HIPAA breaches to the HHS Office for Civil Rights. But such a report could bring a whole new level of HIPAA scrutiny to your organization. Learn some breach reporting dos and don’ts from these recent cases.
Case #1: Stolen Laptop
Background: In August 2011, a laptop was stolen from an unlocked treatment room at Lahey Hospital and Medical Center, a nonprofit teaching hospital affiliated with Tufts Medical School in Burlington, Mass., according to a Nov. 25 HHS Office for Civil Rights release. The laptop ran a portable CT scanner.
The laptop hard drive contained the PHI of 599 individuals. Lahey notified OCR of the theft and resulting HIPAA breach, and then OCR conducted an investigation.
Red flags: OCR’s investigation revealed “widespread noncompliance with the HIPAA Rules,” the release says. OCR found that Lahey:
In the settlement that OCR announced on Nov. 25, Lahey must pay $850,000 and adopt a “robust” Corrective Action Plan (CAP) to “address its history of noncompliance with the HIPAA Rules.” Lahey must provide OCR with a comprehensive, enterprise-wide risk analysis and corresponding risk management plan, as well as report certain events and provide evidence of compliance.
Insight: Unfortunately, Lahey’s case is not unique — a Dec. 1 analysis by attorneys Elizabeth Hodge and Thomas Range of Akerman pointed to Cancer care Group, P.C.’s recent settlement agreement, which involved the theft of unencrypted computer server backup media and yielded similar “robust” requirements in its CAP.
These cases “demonstrate the OCR’s focus on the importance of risk analysis and device and media control policies,” Hodge and Range cautioned. And in response, the CAP requires Lahey to:
* Recording the receipt, removal, and disposition (whether external or internal to Lahey’s facility) of hardware and electronic media that maintain ePHI;
Case #2: Business Associate
Yet another “robust” Corrective Action Plan and a whopping $3.5 million payout arose from a recent settlement agreement between OCR and Triple-S Management Corporation, formerly American Health Medicare Inc., an insurance holding company based in San Juan, P.R. Triple-S made multiple breach notifications to HHS involving unsecured PHI, which triggered OCR to investigate, according to a Nov. 30 OCR announcement. After investigating the company’s compliance with the HIPAA Rules, OCR found “widespread noncompliance throughout the various subsidiaries of Triple-S.” The alleged HIPAA violations included:
* Ensuring workstations that maintain ePHI used in connection with diagnostic or laboratory equipment are registered with, and under the control of, Lahey’s Information Services Department; and
* Implementing mechanisms that record and examine activity in information systems of workstations that maintain ePHI used in connection with diagnostic or laboratory equipment.