Lifespan Health System Affiliated Covered Entity (Lifespan ACE), a Rhode Island based non-profit health system comprised of hospitals and other healthcare providers, agreed to pay $1,040,000 to HHS’s Office of Civil Rights (OCR) and to implement a corrective action plan in order to resolve an investigation into potential violations of HIPAA. The investigation arose from the theft of an unencrypted laptop.
Specifically, in April 2017, an affiliated hospital employee’s laptop was stolen. The laptop reportedly had the electronic protected health information (ePHI) of over 20,000 individuals including patient names, medical record numbers, and medication information. The breach was reported to OCR, which oversees enforcement of the HIPAA Privacy and Security rules.
OCR’s investigation found a failure to encrypt ePHI on laptops after Lifespan ACE’s internal polices had determined encryption was reasonable and appropriate. There also wasn’t a business associate agreement in place with Lifespan ACE’s parent company and business associate, Lifespan Corporation.
The breach resulted in a settlement in which Lifespan ACE agrees to pay OCR $1,040,000, implement encryption within 90 days, revise its policies and procedures, and be monitored by OCR for two years.
OCR Director Roger Severino cautioned “laptops, cellphones, and other mobile devices are stolen every day, that’s the hard reality. Covered entities can best protect their…data by encrypting mobile devices to thwart identity thieves.”
Employer plan sponsors should review their policies and procedures for compliance. While encryption is still not required of covered entities or business associates, employers should consider it as an effective defense against a breach of privacy information.
OCR Press Release »
Resolution Agreement »