The HHS’ Office for Civil Rights has issued to Lifespan ACE, an affiliated covered entity of Lifespan Health System, a $1,040,000 HIPAA fine right after finding out the entity’s systemic non-conformity to the HIPAA Law.
Lifespan is a non-profit health system located in Rhode Island and has got several healthcare provider affiliates throughout the state. Lifespan Corporation submitted a data breach report with OCR on April 21, 2017, which concerned the stealing of an unencrypted laptop on February 25, 2017. Lifespan Corporation is Lifespan ACE’s parent firm as well as a business associate.
The laptop computer was left inside a staff”s vehicle, which was situated in an open parking lot at the time it was broken into. The crook took a laptop computer that held data including patient names, healthcare record numbers, medicine details, and demographic information of 20,431 patients of its medical care provider affiliates.
OCR inquired about the breach and found out about its systemic violation of the HIPAA Law. Lifespan ACE utilizes a number of portable devices and had carried out a risk analysis to discover probable risks to the integrity, availability and confidentiality of ePHI. By means of the risk analysis, Lifespan ACE came to understand the value of utilizing encryption on mobile gadgets like laptop computers considering the level of danger however was unable to employ encryption. Without encryption, Lifespan ACE was breaking 45 C.F .R. § I 64.312(a)(2)(iv).
OCR furthermore learned that Lifespan ACE did not implement policies and procedures that mandated the checking of transportable devices that have access to a network storing ePHI, nor was there a thorough inventory of the equipment, which violates 45 C.F.R. § 164.310(d)(1).
There is additionally no business associate agreement (BAA) entered into by Lifespan Corporation and Lifespan ACE. Lifespan ACE likewise didn’t acquire a BAA signed by its healthcare provider affiliates, which violates 45 C.F.R. § 164.502(e).
Because of failing to comply, Lifespan ACE was liable for the impermissible disclosure of 20,431 individuals’ ePHI when the laptop was ripped off – See 45 C.F.R. § 164.502(a).
Lifespan ACE accepted to resolve the case, pay the financial fine, and take on a detailed corrective action plan (CAP). The CAP necessitates a business associate agreement to be signed by Lifespan ACE with its affiliates and parent company, make an inventory of all digital equipment, use encryption and configure access controls, and examine and change its policies and procedures with regard to device and media regulators. Those policies and procedures ought to be sent out to the employees and there should be training given on the new policies. Lifespan ACE’s compliance work will be checked by OCR within two years.
OCR Director Roger Severino explained that laptop computers, cell phones, and other portable gadgets are stolen each day, that is the sad reality. Covered entities could best safeguard their patients’ information by encrypting portable devices to ward off identity thieves.
This is the number two HIPAA penalty to be issued by OCR in the last week. On July 23, 2020, OCR stated that Metropolitan Community Health Services doing business as Agape Health Services was penalized $25,000 for repeated, systemic violations of the HIPAA Security Regulation.