Health Information Management

OCR makes example of the importance of mobile device security with $850,000 settlement

HIM-HIPAA Insider, December 7, 2015

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

Lahey Hospital and Medical Center in Burlington, Massachusetts, agreed to pay an $850,000 settlement to OCR for potential HIPAA violations resulting from the theft of an unencrypted laptop August 11, 2011. The laptop was used to operate a portable CT scanner and produced images for viewing through the hospital’s radiology information system and picture archiving and communication system, according to HHS’s statement. The laptop and CT scanner were left overnight in an unlocked treatment room in the hospital’s radiology department. The laptop contained the PHI of 599 patients. Lahey reported the theft to HHS on October 11, 2011, according to the resolution agreement.

OCR’s subsequent investigation produced evidence of “widespread non-compliance.” The press release and agreement specifically list the hospital’s non-compliance, including the following:

  • Failure to conduct a risk analysis
  • Lack of physical safeguards
  • Failure to implement and enforce policies and procedures governing the storage, use, movement, and removal of portable devices that contain ePHI
  • Absence of unique user name and user tracking system
  • Not recording and examining activity at the workstation

OCR concluded that these oversights led to the “impermissible disclosure” of patient’s PHI. Covered entities are expected to apply appropriate measures to ensure the security of workstations and devices and the safety of PHI contained on them, Jocelyn Samuels, director of OCR, said in HHS’ statement.

Lahey agreed to conduct an enterprise-wide risk analysis and submit that with a risk management plan to OCR, in addition to the settlement. The hospital is also required to report specific events and provide evidence of compliance. Once HHS approves its risk management plan, Lahey, according to the terms of the Corrective Action Plan, will submit their new security policies and procedures to HHS for revision and approval.

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

    Briefings on APCs
  • Briefings on APCs

    Worried about the complexities of the new rules under OPPS and APCs? Briefings on APCs helps you understand the new rules...

  • HIM Briefings

    Guiding Health Information Management professionals through the continuously changing field of medical records and toward a...

  • Briefings on Coding Compliance Strategies

    Submitting improper Medicare documentation can lead to denial of fees, payback, fines, and increased diligence from payers...

  • Briefings on HIPAA

    How can you minimize the impact of HIPAA? Subscribe to Briefings on HIPAA, your health information management resource for...

  • APCs Insider

    This HTML-based e-mail newsletter provides weekly tips and advice on the new ambulatory payment classifications regulations...

Most Popular