[BreachExchange] OCR Imposes $1 Million HIPAA Penalty on Lifespan for Lack of Encryption and Other HIPAA Failures

Wed Jul 29 09:38:03 EDT 2020

https://www.modernhealthcare.com/cybersecurity/lifespan-health-system-pay-1-million-hipaa-fine

The HHS’ Office for Civil Rights has imposed a $1,040,000 HIPAA
penalty on Lifespan Health System Affiliated Covered Entity (Lifespan
ACE) following the discovery of systemic noncompliance with the HIPAA
Rules.

Lifespan is a not-for-profit health system based in Rhode Island that
has many healthcare provider affiliates in the state. On April 21,
2017, a breach report was filed with OCR by Lifespan Corporation, the
parent company and business associate of Lifespan ACE, about the theft
of an unencrypted laptop computer on February 25, 2017.

The laptop had been left in the vehicle of an employee in a public
parking lot and was broken into. A laptop was stolen that contained
information such as patient names, medical record numbers, medication
information, and demographic data of 20,431 patients of its healthcare
provider affiliates.

OCR investigated the breach and discovered systemic noncompliance with
the HIPAA Rules. Lifespan ACE uses a variety of mobile devices and had
conducted a risk analysis to identify potential risks to the
confidentiality, integrity, and availability of ePHI. Through the risk
analysis, Lifespan ACE determined that the use of encryption on mobile
devices such as laptops was reasonable and appropriate given the level
of risk but failed to implement encryption. The lack of encryption was
a violation of 45 C.F .R. § I 64.312(a)(2)(iv).

OCR also discovered Lifespan ACE had not implemented policies and
procedures that required the tracking of portable devices with access
to a network containing ePHI, nor was there a comprehensive inventory
of those devices, in violation of 45 C.F.R. § 164.310(d)(1).

Lifespan Corporation was a business associate of Lifespan ACE, but
both entities had failed to enter into a business associate agreement
with each other. Lifespan ACE had also not obtained a signed business
associate agreement from its healthcare provider affiliates, in
violation of 45 C.F.R. § 164.502(e).

As a result of the compliance failures, Lifespan ACE was responsible
for the impermissible disclosure of the ePHI of 20,431 individuals
when the laptop was stolen – See 45 C.F.R. § 164.502(a).

Lifespan ACE agreed to settle the case, pay the financial penalty, and
adopt a comprehensive corrective action plan (CAP). The CAP requires
Lifespan ACE to enter into business associate agreements with its
affiliates and parent company, create an inventory of all electronic
devices, implement encryption and configure access controls, and
review and revise its policies and procedures with respect to device
and media controls. Those policies and procedures must be distributed
to the workforce and training must be provided on the new policies.
Lifespan ACE’s compliance efforts will be scrutinized by OCR for the
duration of the two-year CAP.

“Laptops, cellphones, and other mobile devices are stolen every day,
that’s the hard reality.  Covered entities can best protect their
patients’ data by encrypting mobile devices to thwart identity
thieves,” said Roger Severino, OCR Director.

This is the second HIPAA penalty to be announced by OCR in the past
week. On July 23, 2020, OCR announced Metropolitan Community Health
Services dba Agape Health Services had been fined $25,000 for
longstanding, systemic noncompliance with the HIPAA Security Rule.