On November 25, 2015, Lahey Hospital and Medical Center (Lahey) agreed to settle potential violations of HIPAA regulations for $850,000. In addition, the settlement calls for a robust corrective action plan. Lahey is a nonprofit teaching hospital affiliated with Tufts Medical School and is located in Burlington, MA.
Is your medical record system ready for HIPAA review? If not, you can expect HIPAA issues.
The incident in question occurred on August 11, 2011. A laptop computer used with a portable CT scanner was stolen from an unlocked treatment room. The laptop operated the scanner and produced images for viewing through Lahey’s Radiology Information System and PACS. The laptop hard drive contained PHI of 599 individuals.
OCR’s investigation highlighted widespread non-compliance with the HIPAA rules, including:
- Failure to conduct a thorough risk analysis of all of its ePHI;
- Failure to physically safeguard a workstation that accessed ePHI;
- Failure to implement and maintain policies and procedures regarding the safeguarding of ePHI maintained on workstations utilized in connection with diagnostic/laboratory equipment;
- Lack of a unique user name for identifying and tracking user identity with respect to the workstation at issue in this incident;
- Failure to implement procedures that recorded and examined activity in the workstation at issue in this incident; and
- Impermissible disclosure of 599 individuals’ PHI.
As is customary with OCR settlements, Lahey did not admit to any violations, and OCR did not concede that Lahey is not in violation.
This enforcement action highlights the importance of addressing the security of all ePHI, not simply the PHI contained in the electronic medical record.
It is interesting to note that the OCR did not cite the failure to encrypt the data on the laptop. Had the laptop been encrypted, no data breach would have occurred and Lahey would never have reported the incident. On equipment such as this, hospitals are often reluctant to modify the systems, for example by installing 3rd party encryption, because vendors could void warranties or reduce support. One lesson for hospitals and providers is to press vendors to offer improved security — encryption could easily be included as a feature on such systems.
Click here for a copy of the Resolution Agreement.
