On April 21, 2017, Lifespan Corporation, the parent company and business associate of Lifespan ACE, filed a breach report with Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS). An affiliated hospital employee’s laptop was reported stolen. This laptop contained electronic protected health information (ePHI), which included patient names, medical record numbers, demographic information, and medication information. This breach affected 20,431 patients.
OCR investigated and discovered Lifespan’s systemic noncompliance with HIPAA Rules, including a failure to encrypt ePHI on laptops after Lifespan ACE determined it was reasonable and appropriate to do so. OCR also discovered a lack of device and media controls, and a failure to have a business associate agreement in place with the Lifespan Corporation. On June 26, 2020, OCR and Lifespan signed a settlement agreement, which imposed a $1,040,000 fine, and required Lifespan to agree to a corrective action plan that included two years of monitoring. The resolution agreement and corrective action plan can be found here.
This outcome demonstrates the continuing importance of protecting patient information and complying with HIPAA Rules regarding ePHI. As the COVID pandemic has forced employees to learn to work remotely, it is more important than ever to ensure that laptops, mobile devices, email platforms and electronic health systems are secure and structured consistent with the HIPAA requirements.
Please do not hesitate to contact us with any questions you may have about protecting ePHI or other HIPAA-related questions.