OCR Sanctions $1M HIPAA Fine on Lifespan for Lack of Encryption

The HHS’ Office for Civil Rights has sanctioned a $1,040,000 HIPAA fine on Lifespan Health System Affiliated Covered Entity (Lifespan ACE) following the discovery of systemic noncompliance with the HIPAA legislation.

Lifespan is a not-for-profit health system located in Rhode Island that has many healthcare supplier affiliates in the State. On April 21, 2017, a breach report was submitted to the OCR by Lifespan Corporation, the parent entity and business associate of Lifespan ACE, about the theft of an unencrypted computer at some point during February 25, 2017.

The laptop had been left in the car of a staff member in a public parking lot and was broken into. A laptop was illegally taken that was holding data such as patient names, medical record numbers, medication details, and demographic data of 20,431 patients of its healthcare supplier affiliates.

OCR looked into the breach and found that systemic noncompliance with the HIPAA Rules. Lifespan ACE uses a variety of mobile devices and had completed a risk analysis to identify potential dangers to the confidentiality, integrity, and availability of ePHI. Via a risk analysis, Lifespan ACE determined that the use of encryption on mobile devices such as laptops was reasonable and proper due to the level of risk but failed to implement encryption. The lack of encryption was a breach of 45 C.F .R. § I 64.312(a)(2)(iv).

OCR also found out that Lifespan ACE had not put in place policies and procedures that necessitated monitoring portable devices with access to a network containing ePHI, nor was there a comprehensive inventory of those devices, in breach of 45 C.F.R. § 164.310(d)(1).

Lifespan Corporation was a business associate of Lifespan ACE, but both entities had not completed a business associate agreement with each other. Lifespan ACE had also not obtained a completed business associate agreement from its healthcare provider affiliates, in breach of 45 C.F.R. § 164.502(e).

Due to the compliance failures, Lifespan ACE was to blame for the impermissible disclosure of the ePHI of 20,431 individuals when the laptop was illegally taken – See 45 C.F.R. § 164.502(a).

Lifespan ACE agreed to settle the case, hand over the financial penalty, and implement a thorough corrective action plan (CAP). The CAP requires Lifespan ACE to enter into business associate agreements with its affiliates and parent company, create an inventory of all electronic devices, put in place encryption and configure access controls, and review and rreconsider its policies and procedures with respect to device and media controls. Those policies and processes must be shared with the workforce and training must be provided on the new policies. Lifespan ACE’s compliance efforts will be scrutinized by OCR for the duration of the two-year CAP.

Roger Severino, OCR Director remarked: “Laptops, cellphones, and other mobile devices are stolen every day, that’s the hard reality.  Covered entities can best protect their patients’ data by encrypting mobile devices to thwart identity thieves”.