What’s a laptop cost? How about $1,040,000? Nope, it’s not the world’s first quantum computing MacBook. It’s just a regular old one. Heck, it’s even used!
And therein lies the problem.
That’s the price that Rhode Island based non-profit, Lifespan Health System Affiliated Covered Entity (“Lifespan”) agreed to pay the government as the penalty for the theft of a single stolen laptop that might have contained unencrypted PHI to which the thieves had access.
The story started out on a Saturday like many others. A hospital employee parked in a public lot. But then, thieves broke into the parked vehicle and stole, among other things, a MacBook laptop used by the employee for work. The laptop was never seen again. Neither were the thieves.
Now here comes the “might have, sort of” part, the part that should really scare you. There doesn’t appear to be any actual evidence that anyone illegally accessed PHI. Nor, for purposes of HIPAA violation, does there have to be.
Upon investigation, it was determined that the employee’s work emails might have been cached in a file on the device’s hard drive, and that the thieves “had access to” patient names, medical record numbers, demographic information, including partial address information, and the name of one or more medications that were prescribed or administered to patients.
Despite all of those might haves, the loss of the laptop constituted a HIPAA breach because the PHI on that single MacBook was not encrypted.
According to a press release issued on July 27, 2020, by the U.S. Department of Health and Human Services’ agency charged with HIPAA enforcement, the Office for Civil Rights (“OCR”), upon investigation, it was determined that there was systematic noncompliance with the HIPAA Rules within Lifespan. Among the noncompliance was the failure to encrypt ePHI on laptops after Lifespan determined that it was reasonable and appropriate to do so. The investigation also revealed a lack of device and media controls.
Mobile devices, from laptops to cell phones, are stolen every day. Cars containing those devices, even ones locked “securely,” or so we think, in their trunks, are broken into or themselves stolen every day. Other such devices are simply misplaced.
That’s why ePHA on those devices must be encrypted.
The settlement highlights the fact that simply having a HIPAA compliance plan, even one that requires encryption, is worthless, if it is not enforced, and it is less than worthless if you have a plan that you know if not being complied with and you do nothing about it.
The sad story also highlights the issue of the security of any PHI, electronic or on paper, that is exposed to theft, or even loss, in transit, whether the transit is via a car, a pocket, or a briefcase.
In addition to the $1,040,000 payment, Lifespan entered into an agreement with the government requiring a corrective action plan including two years of monitoring.
For help with both crafting your compliance plan and creating an actual working compliance program, email me now. I can guarantee that it will cost you less than $1,040,000, plus a corrective action plan, plus attorneys fees, plus bad publicity, plus exposure to other potential liability.
