OCR Issues $1 Million HIPAA Penalty on Lifespan Because of Lack of Encryption and Other HIPAA Failures

The HHS’ Office for Civil Rights has charged Lifespan Health System Affiliated Covered Entity (Lifespan ACE) a $1,040,000 HIPAA penalty subsequent to determining the entity’s systemic noncompliance with the HIPAA Regulations.

Lifespan is a not-for-profit health system established in Rhode Island and has numerous healthcare provider affiliates within the state. Lifespan Corporation filed a breach report with OCR on April 21, 2017, which involved the theft of an unencrypted laptop computer on February 25, 2017. Lifespan Corporation is Lifespan ACE’s parent company and a business associate.

The laptop was left in an employee’s vehicle, which was located in a public parking lot when it was broken into. The thief stole a laptop that stored information which includes patient names, medical record numbers, prescribed medication data, and demographic data of 20,431 patients of its healthcare provider affiliates.

OCR looked into the breach and learned about its systemic noncompliance with the HIPAA Regulations. Lifespan ACE employs a range of mobile devices and had performed a risk analysis to determine possible risks to the integrity, confidentiality and availability of ePHI. Because of the risk analysis, Lifespan ACE learned the importance of using encryption on mobile devices which include laptops given the level of risk and yet did not implement encryption. With no encryption, Lifespan ACE was violating 45 C.F .R. § I 64.312(a)(2)(iv).

OCR additionally found out that Lifespan ACE did not enforce policies and procedures that necessitated the monitoring of mobile devices having access to a network keeping ePHI, nor was there an extensive inventory of those gadgets, which breaks 45 C.F.R. § 164.310(d)(1).

There is additionally no business associate agreement (BAA) signed between Lifespan Corporation and Lifespan ACE. Lifespan ACE also did not get a signed BAA from its healthcare provider affiliates, which breaks 45 C.F.R. § 164.502(e).

Due to compliance violations, Lifespan ACE was accountable for the compromise of the ePHI of 20,431 people when the portable computer was ripped off – See 45 C.F.R. § 164.502(a).

Lifespan ACE consented to settle the case, pay off the financial penalty, and follow a thorough corrective action plan (CAP). The CAP requires a BAA to be entered into by Lifespan ACE with its healthcare affiliates and parent firm, generate an inventory of all electronic gadgets, employ encryption and set up access controls, and evaluate and modify its policies and procedures regarding device and media regulators. Those policies and procedures should be given to the workforce and there must be training provided on the new guidelines. Lifespan ACE’s compliance initiatives will be monitored by OCR throughout the two-year CAP.

Roger Severino, OCR Director stated that laptops, mobile phones, and other mobile devices get stolen every day, that’s the unfortunate truth. Covered entities can best protect their patients’ data by encrypting mobile devices to combat identity thieves.

This is the second HIPAA penalty to be published by OCR last week. On July 23, 2020, OCR said that Metropolitan Community Health Services also known as Agape Health Services was fined $25,000 for persistent, systemic noncompliance with the HIPAA Security Law.