A stolen laptop can be worth more than $800,000. At least that was the case with a laptop taken from Lahey Clinic Hospital, Inc. in 2011. The HHS Office for Civil Rights (OCR) recently ruled that Lahey — based in Burlington, Mass. — must pay an $850,000 fine for violations of the HIPAA Privacy and Security Rules, stemming from the loss of that laptop.
The stolen laptop was used in association with a computerized tomography (CT) scanner and held the electronic protected health information (ePHI) of nearly 600 patients. Lahey reported the breach to OCR, prompting an inspection of Lahey’s security practices. The OCR probe returned six primary infractions, including the improper disclosure of ePHI, failure to assign procedures to the movement of devices containing ePHI in and out of the facility and a deficiency in “physical safeguards for a workstation that accesses ePHI to restrict access to authorized users.”
On top of paying the fine, Lahey entered into an agreement with HHS to prove it has taken steps to avoid future breaches. The corrective plan mandates that Lahey execute a risk analysis of its entire organization and document any security and ePHI vulnerabilities. Lahey must give the resulting risk analysis report and a separate risk management proposal to HHS for review.
While OCR watches over hospitals, the Office of the Inspector General (OIG) is monitoring OCR. The OIG — another HHS office that handles ePHI matters — has the topic in its plans for the 2016 fiscal year. The OIG said it will assess OCR’s enforcement of ePHI security next year and determine if it is sufficient. Specifically, OIG will check that OCR is conducting regular audits of HIPAA covered entities and business associates to confirm those entities are compliant with HIPAA and the HITECH Act. The Food and Drug Administration (FDA) will also be in the OIG’s crosshairs in 2016, when OIG promises to evaluate how well the FDA is overseeing medical devices and the security of their interactions with ePHI.