HHS Resolution Agreement: Lifespan ACE (June 26, 2020); HHS News Release (July 27, 2020)
Available at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/lifespan/index.html
HHS’s Office for Civil Rights (OCR) has announced a $1,040,000 settlement with a health system (a HIPAA covered entity) to resolve alleged violations of HIPAA’s security rule. OCR’s investigation followed the theft of a laptop computer from an employee’s car. The laptop was never recovered, and the health system determined that the employee’s work emails may have been cached in a file on the laptop’s hard drive. An internal analysis revealed that the thieves had access to protected health information (PHI) of more than 20,000 individuals, including patient names; medical record numbers; demographic information, such as partial address information; and the names of medications that were prescribed or administered to patients. The PHI may have included patients’ information across various affiliated provider facilities, including hospitals and pharmacies. After investigation, OCR alleged that the health system violated HIPAA by failing to encrypt work devices or implementing policies and procedures to inventory and track the movement of network devices containing PHI. Moreover, the health system failed to enter into business associate contracts with affiliated provider entities.
In addition to the settlement payment, the health system agreed to a two-year corrective action plan. Among other requirements, the health system must inventory all devices and equipment; determine the number that are encrypted; and develop a plan for encrypting the remainder (or explain why encryption is not reasonable and appropriate and describe compensating alternative measures). The health system must document and report details about the encryption to OCR, updated with supporting evidence that appropriate encryption has been implemented and periodically tested. It must also report on network access controls and develop policies and procedures to inventory and track movement of devices into, out of, and within the system’s facilities. The policies and procedures must be distributed to workforce members and used for workforce training, which must be updated at least annually. The health system must also submit periodic compliance reports to OCR.
EBIA Comment: OCR’s press release notes that the health system had previously determined that encryption of laptops was reasonable and appropriate. This reminds us of previous OCR enforcement actions, including a $4.3 million civil monetary penalty in 2018 (see our Checkpoint article) and a $2.5 million settlement in 2017 (see our Checkpoint article), both of which involved theft of unencrypted laptops. OCR continues to be serious about HIPAA enforcement, especially with respect to encryption and tracking of portable devices. If devices containing PHI are not encrypted, covered entities and business associates should be prepared to explain why encryption was not reasonable and appropriate and to demonstrate adoption of equivalent alternative measures. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XX.D (“Resolution Agreements”) and XXX (“Core Security Requirements”). You may also be interested in our upcoming webinar “HIPAA Breaches: Preparation and Response” (live on 9/10/2020).
Contributing Editors: EBIA Staff.