Lifespan Health System Slapped with $1 Million Fine for Noncompliance with the HIPAA Rules

For the second time in a week, the HHS’ Office for Civil Rights (OCR) has announced a fine has been imposed on a HIPAA-covered entity for systemic noncompliance with HIPAA Rules.

Lifespan Health System Affiliated Covered Entity (Lifespan ACE), a non-profit health system based in Rhode Island, has agreed to pay a $1,040,000 financial penalty and adopt a corrective action plan to resolve its HIPAA compliance case with OCR.

An investigation was launched by OCR following a data breach at Lifespan ACE that was reported on April 21, 2017. An employee had left an unencrypted laptop computer in a vehicle from where it was stolen. The laptop computer contained the protected health information of 20,431 individuals, including patients of its affiliated healthcare providers in Rhode Island.

OCR investigates all breaches that impact 500 or more individuals to determine whether breaches were the result of HIPAA compliance failures. The investigation into Lifespan ACE revealed several aspects of HIPAA Rules had been violated. Had HIPAA Rules not been violated, the data breach would have been prevented.

The HIPAA Security Rule does not demand the use of encryption, as encryption is only an addressable standard. Covered entities are required to conduct a risk analysis to identify threats to the confidentiality, integrity, and availability of ePHI which should determine whether encryption is reasonable and appropriate. Lifespan ACE had conducted a risk assessment and determined the encryption of portable electronic devices was reasonable and appropriate but did not encrypt its devices.

Policies and procedures had not been implemented requiring portable electronic devices containing ePHI – or devices that could access networks containing ePHI – to be tracked and a comprehensive inventory of devices had not been created.

Lifespan ACE had not entered into a business associate agreement with its parent company and business associate, Lifespan Corporation, nor its healthcare provider affiliates. As a direct result of some of the HIPAA violations, there had been an impermissible disclosure of the electronic protected health information of 20,431 individuals.

Lifespan ACE chose to settle the case with OCR and adopt a robust corrective action plan covering all areas of noncompliance. Lifespan ACE must report back to OCR on all of the issues outlined in the corrective action plan. OCR will also be monitoring Lifespan ACE closely over the next two years. The settlement resolves the case, but further action can be taken by OCR if the corrective action is not taken within the agreed timescale.

“Laptops, cellphones, and other mobile devices are stolen every day, that’s the hard reality.  Covered entities can best protect their patients’ data by encrypting mobile devices to thwart identity thieves,” said Roger Severino, OCR Director.