A non-profit health system based in Rhode Island has agreed to pay a staggering 1.04 million dollar settlement to the Office for Civil Rights (OCR).

HIPAA Fine Violation Spotlight

HIPAA Fines Charged For Security and Privacy Rule Violation

Lifespan Health System Affiliated Covered Entity (Lifespan ACE) filed a breach report in April of 2017, reporting that an affiliated hospital employee’s laptop had been stolen which contained electronic protected health information (ePHI) on 20,431 individuals.

Any device containing ePHI should be encrypted to protect against theft in exactly this fashion. However, the OCR’s investigation revealed systemic noncompliance with HIPAA rules. Lifespan ACE had done some risk assessment and determined it was reasonable and appropriate to encrypt their devices, however even after determining that they failed to do so. The investigation also revealed lack of device and media controls and a failure to have business associate agreements in place with the parent corporation of Lifespan ACE.

Roger Severino, the Director of the OCR, stated “Laptops, cellphones, and other mobile devices are stolen every day, that’s the hard reality.  Covered entities can best protect their patients’ data by encrypting mobile devices to thwart identity thieves.”

Readers can be certain that the large settlement amount is the result of Lifespan ACE’s failure to take even the most rudimentary steps to protect their data, even after they had fully realized it was reasonable to do so. The OCR is continuing to pursue systemic noncompliance with a much heavier hand than simple mistakes or failures to properly implement procedures. The time for pleading ignorance of what is reasonable and appropriate is long past.