On July 27, 2020, the United State Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced that Lifespan Health System Affiliated Covered Entity (Lifespan) has agreed to pay $1,040,000 and implement a Corrective Action Plan (CAP) to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules related to the theft of an unencrypted laptop from an employee’s car. Lifespan is a non-profit health system based in Rhode Island which includes many healthcare provider affiliates and has designated itself as a HIPAA affiliated covered entity. This is the second Resolution Agreement announced by OCR in the last few days, following a FQHC’s resolution of alleged Security Rule violations.   

On April 21, 2017, Lifespan Corporation, the parent company and business associate of Lifespan, filed a breach report with OCR concerning the theft of an affiliated hospital employee’s laptop from the employee’s car. Lifespan determined that the employee’s work emails may have been cached in a file on the laptop’s hard drive. As a result, the laptop contained electronic protected health information (ePHI) including patients’ names, medical record numbers, demographic information, and medication information. The breach affected 20,431 patients.

OCR’s investigation uncovered systemic noncompliance with HIPAA, including a failure to encrypt ePHI on laptops after Lifespan determined it should do so. OCR also found Lifespan did not implement policies and procedures to track or inventory all devices that access the network or which contain ePHI. Lifespan also did not have a business associate agreement (BAA) in place with the Lifespan Corporation.

In addition to the substantial fine, Lifespan has entered into a two-year CAP and agreed to do the following:

• Provide HHS with details regarding Lifespan’s affiliated covered entities;
• Revise its BAA policies and procedures, which must be submitted to HHS for review;
• Designate an individual responsible for ensuring BAAs are entered into and create a process to assess current and future business relationships to determine if a BAA is required;
• Create a process for negotiating and entering into BAAs, including preparing a template BAA;
• Revise device and media control policies and procedures, subject to HHS’ approval;
• Train workforce members on the revised policies and procedures;
• Promptly investigate reports of potential violations of the revised policies and procedures and, if a violation has occurred, notify HHS within sixty (60) days; and
• Submit to HHS an implementation report verifying that HHS’ approved policies and procedures have been implemented, providing copies of training materials, and providing a Lifespan officer’s attestation that the training has been completed.

This OCR Resolution Agreement is an important and expensive reminder of the critical importance of implementing HIPAA Privacy and Security Rule safeguards. All covered entities – whether a small FQHC, a large academic medical center, and every other size of a provider – should review their policies and procedures to ensure they are appropriately protecting ePHI, giving extra attention to electronic devices such as laptops and cell phones that are easily lost or stolen. For large organizations with multiple affiliates, a business associate agreement is required between and among entities within the same corporate structure if one entity is performing HIPAA business associate services on behalf of a covered entity within the same organization.