Usually, HIPAA violations are part of the background noise of the healthcare business, and few are so large that they prove catastrophic for the entity involved. In the following case, however, a health system has incurred a fine that can’t be taken lightly.
The unfortunate organization in the spotlight is Lifespan Health System, which has agreed to pay $1,040,000 to the HHS Office for Civil Rights. Lifespan has also agreed to implement a corrective action plan to address its HIPAA deficiencies.
Lifespan’s problems began in April 2017, when a laptop was stolen from an affiliated hospital employee. The laptop contained a wide range of electronic protected health information, including patient names, medical record numbers, demographics and medical information, encompassing 20,431 individuals. The information was not encrypted.
After investigating the health system, OCR determined that Lifespan Health (cited as Lifespan Health System Affiliated Covered Entity or Lifespan ACE) was not encrypting ePHI on any of its laptops despite knowing better. What’s more, OCR found that Lifespan lacked device and media controls. Also, Lifespan ACE had had also failed to sign a business associate agreement in place with its parent company Lifespan Corporation.
Though this kind of fine has been unusual in the past, OCR has hit a few healthcare organizations hard in recent times. One standout was the $2.2 million HIPAA fine OCR imposed on Sentara Hospitals late last year. According to OCR, Sentara not only mailed patient PHI to 577 incorrect addresses, its leaders apparently decided not to report the full extent of the breach to OCR even after the agency asked them to do so. This kind of stuff definitely makes regulators get testy.
Earlier that year, OCR slapped a medical imaging firm with a $3 million fine after discovering a host of HIPAA violations that the firm failed to address. Touchstone Medical Imaging had learned that its data had been breached when notified by both the FBI and OCR. The two agencies told Touchstone that among other problems, one of its servers was giving outsiders uncontrolled access to patients’ PHI.
Investigators later found that Touchstone had waited several months to investigate the security incident despite the warning from the OCR and FBI. Later, the agency concluded that data from more than 300,000 patients was breached, despite the firm claiming that the problem with its FTP server hadn’t exposed any PHI at all. Apparently, this skullduggery didn’t sit well with OCR staffers.
The lessons we can draw from these fines seem pretty obvious. If you don’t want OCR to come down on you like a ton of bricks, act quickly when you uncover a HIPAA violation, be honest about the extent of any breach of patient data and for heaven’s sake, be cooperative when the agency asks you to address obvious problems. Plus, encrypt any devices that have PHI! While these steps can’t protect you completely from massive HIPAA fines, they certainly put you in a far better position if investigators come calling.