Hot off the presses: there’s been another settlement announced by OCR. This one involves Lahey Hospital and Medical Center (Lahey Clinic Hospital), who have agreed to pay $850,000 and to adopt a robust corrective action plan to correct deficiencies in its HIPAA compliance program.
Lahey is a nonprofit teaching hospital affiliated with Tufts Medical School, providing primary and specialty care in Burlington, Massachusetts. The incident involved the theft of a laptop with 599 patients’ protected health information. Although there is no press release issued yet, according to the Resolution Agreement, Lahey notified HHS in October, 2011 that the unencrypted laptop was used in connection with a computerized tomography (“CT”) scanner. The laptop was reportedly stolen from an unlocked treatment room off of the inner corridor of Lahey’s Radiology Department.
In investigating the incident, OCR found that
- Lahey failed to conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI as part of its security management process. See 45 C.F.R. §164.308(a)(1)(ii)(A).
- Lahey failed to implement reasonable and appropriate physical safeguards for a workstation that accesses ePHI to restrict access to authorized users. See 45 C.F.R. § 164.310(c).
- With respect to the workstation, Lahey failed to implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain ePHI into and out of its facility, and the movement of these items within its facility. See 45 C.F.R. § 164.310(d)(1).
- Lahey failed to assign a unique user name for identifying and tracking user identity with respect to the aforementioned workstation. See 45 C.F.R. § 164.312(a)(2)(i).
- Lahey did not implement a mechanism to record and examine activity on the workstation at issue in this breach. See 45 C.F.R. § 164.312(b).
- Lahey impermissibly disclosed the ePHI of 599 individuals for a purpose not permitted by the Privacy Rule. See 45 C.F.R. § 164.502(a).
In addition to the $850,000 fee, Lahey has agreed, without any admissions or concessions, to a multi-element corrective action program, detailed in the Resolution Agreement.