Someone reached into an employee’s back seat and stole a MacBook. The MacBook was unencrypted and not password protected, and the theft triggered a HIPAA investigation in 2017. The protected health information (PHI) of over 20,000 patients was potentially exposed, and eventually the health system paid over a million dollar penalty.
One Laptop with Huge Amount of Data
The electronic PHI was for patients across a number of related providers connected with Lifespan Health System Affiliated in Rhode Island. They included Rhode Island Hospital, its pharmacy, and other retail pharmacies, among others. Information stored on the stolen MacBook included emails containing patient names, medical record numbers, and demographic information.
OCR Warns You Have to Face Reality
This week it was announced that Lifespan paid a $1.04 million penalty to the Office for Civil Rights (OCR), the agency that enforces HIPAA, after the investigation uncovered widespread noncompliance with HIPAA. The settlement also includes a Corrective Action Plan, with two years of close oversight by OCR.
“Laptops, cellphones, and other mobile devices are stolen every day, that’s the hard reality,” OCR Director Roger Severino, said in a statement. “Covered entities can best protect their patients’ data by encrypting mobile devices to thwart identity thieves.”
You have to do what’s necessary, and it starts with a complete Risk Analysis.
Half-Hearted Compliance is Not Enough
The laptop was stolen in 2017, and Lifespan reported the theft to OCR that year. But when OCR looked more closely at Lifespan’s policies and procedures they discovered gaping holes in its HIPAA compliance. While they had policies, they had not implemented them: there was no inventory of electronic devices, no plan for encryption, their password protection was inconsistent, and workforce training was weak. Lifespan also did not have a business associate agreement with its parent company, Lifespan Corporation and its affiliates.
HIPAA Risk Analysis – Risk Management is Key
A HIPAA compliant Risk Analysis is the roadmap to protect against loss of PHI, and if you follow through and implement the Risk Management plan that your analysis suggests, it protects against penalties from OCR.
Encryption is part of the solution – but a full inventory of all electronic devices that contain electronic protected health information is essential. Then a plan to protect the security of all the devices, with encryption, password protection, access controls, and workforce training completes the picture. All of these steps, including interactive inventory lists, suggested action items, and training are laid out in The HIPAA E-Tool® Risk Analysis.
If you aren’t prepared, find out how to get ready, protect your data and avoid crippling penalties – contact The HIPAA E-Tool® today.