Lifespan Affiliated Covered Entity (“Lifespan ACE”) is a HIPAA-covered entity. This not-for-profit health system includes three academic teaching hospitals, a medical and mental health services hospital, and Rhode Island’s largest nonprofit behavioral healthcare provider. In April of 2017, Lifespan’s parent company and business associate, filed a breach report with the Department of Health and Human Services’ (HHS) Office for Civil Rights. The resulting OCR investigation determined that an unencrypted laptop theft resulted in an ePHI data breach affecting over 20,000 individuals. Lifespan ACE’s systematic failure to comply with HIPAA regulations led to its OCR settlement of $1,040,000.00.
What Caused the Data Breach?
On Saturday, February 25, 2017, a Lifespan ACE employee’s car was broken into while it was parked in a public lot. The car vandal found a MacBook laptop inside and, sensing an opportunity, committed laptop theft. Subsequent investigation revealed that the MacBook, which has never been found, was left unencrypted. An investigation also revealed that, as a result, thieves had access to ePHI including patient names, medical record numbers, demographic information, and medication information. The laptop theft led to a breach of unsecured PHI of patients at various affiliates, including Rhode Island Hospital, Lifespan Pharmacy LLC, retail, and affiliated pharmacies and hospitals of Lifespan.
What Did the OCR Investigation Reveal?
As required by law, Lifespan ACE filed a breach report with OCR. The OCR investigation concluded that the following occurred:
Lifespan did not implement policies and procedures to encrypt all devices used for work purposes, in violation of the HIPAA Security Rule’s technical safeguards requirement. Notably, Lifespan failed to encrypt ePHI on laptops after it had determined it was reasonable and appropriate to do so.
Lifespan did not implement policies and procedures to track or inventory all devices that access its network or which contain PHI, in violation of the HIPAA Security Rule’s physical safeguards requirement. Lifespan failed to implement device and media controls.
Lifespan did not have the proper business associate agreements in place between Lifespan Corporation and the Lifespan healthcare provider affiliates that are members of the Lifespan ACE. This failure is a violation of the HIPAA Privacy Rule requirement that there be a written business associate agreement in place between covered entities and business associates.
Lifespan impermissibly disclosed the PHI of 20,431 individuals, in violation of the HIPAA Privacy Rule.
What are the Terms of the OCR Settlement?
Lifespan ACE chose to settle with OCR rather than pay a fine for the numerous HIPAA violations OCR discovered. Under the settlement, Lifespan ACE must pay OCR $1,040,000, and must also adopt a corrective action plan. The 2-year corrective action plan (CAP) requires Lifespan to properly train employees, create policies and procedures, and to implement other measures to prevent an incident such as this one from recurring. OCR will heavily monitor compliance with the CAP. In announcing the settlement, OCR Director Roger Severino noted, “Laptops, cellphones, and other mobile devices are stolen every day, that’s the hard reality. Covered entities can best protect their patients’ data by encrypting mobile devices to thwart identity thieves.” In other words, the laptop theft was not the reason for the OCR settlement; the failure to properly safeguard information through device and media controls, encryption, and lack of a BAA was.