The Department of Health and Human Services Office for Civil Rights (“OCR”) announced yet another settlement with a covered entity over a HIPAA breach on Tuesday, November 24th. The settlement is an early holiday season gift from OCR. All in the healthcare industry should be clearly on notice that security and protection of devices, whether mobile or not, is essential.
The new settlement announced by OCR is with Lahey Clinic Hospital (“Lahey”) in Massachusetts. In October 201, Lahey reported the theft of an unencrypted laptop used with a CT scanner. The laptop was stored in an unlocked treatment room located off of a hallway within the radiology department. After investigation, OCR found, among other things, that Lahey had not adequately conducted a risk analysis, failed to implement appropriate physical safeguards, and failed to sufficiently monitor receipt and removal of hardware that stored PHI. These actions lead to a settlement in the amount of $850,000 between Lahey and OCR.
In addition to paying money, Lahey also entered into a Corrective Action Plan with OCR. The presence of a Corrective Action Plan is not overly surprising. With regard to security, Lahey will need to specifically focus on workstation access and storage, especially in connection with diagnostic and laboratory equipment. Further, like all entities, Lahey will conduct a risk analysis to develop a comprehensive plan of issues to address. The targeted identification of equipment similar to that giving rise to the breach is the noteworthy piece.
However, a risk analysis would not necessarily mean that a device would need to be encrypted. As is noted so often, encryption is an addressable element in the HIPAA Security Rule. As such, the risk analysis would not have to say that encryption would have to occur. That being said, it is very hard to believe in this day and age that encryption would not be feasible.
A real message from the settlement is the increasingly short fuse that OCR has concerning breaches that result from unencrypted devices. Even though Lahey’s breach occurred in 2011 (arguably before encryption became a hot button issue), OCR levied a fairly significant fine. If organizations want to avoid paying a large settlement, encryption must be an essential element of security compliance.
At this point, it is not a good strategy to test OCR’s patience. As discussed above and from other recent settlements, losing or having an unencrypted laptop or mobile device stolen is a sure way to pay money to OCR.
Additionally, the Lahey settlement is another example of needing to consider different forms of equipment and exposure points. While a laptop is a known issue, a laptop in connection with a CT scanner or other medical equipment may not be an obvious vulnerability. Some organizations may assume that a manufacturer will guarantee security compliance. This may not be an accurate assumption and all such devices need to be included in a risk analysis. To some degree, this settlement offers a warning similar to what occurred a few years ago when PHI was found in a leased photocopier. Be comprehensive and all-encompassing when conducting a risk analysis.
There are many threats to healthcare organizations and it will be impossible to prevent all of them. However, with a solid plan in place and proactive monitoring, it is possible to reduce risks.