On July 27, 2020, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a resolution agreement with Lifespan Health System Affiliated Covered Entity (Lifespan ACE) to resolve alleged violations of the HIPAA Privacy and Security Rules. According to the resolution agreement, Lifespan ACE agreed to pay HHS $1.04 million and implement a two-year corrective action plan.
Lifespan ACE, a non-profit health system based in Rhode Island, has designated itself as a HIPAA affiliated covered entity1 and has various healthcare provider affiliates, including Rhode Island Hospital. On February 25, 2017, a laptop used for work purposes by an employee of Rhode Island Hospital was stolen, resulting in the impermissible disclosure of the protected health information (PHI) of 20,341 individuals. Notably, the PHI on the stolen laptop may have included information about not only Rhode Island Hospital patients, but also patients of other provider affiliates of Lifespan ACE, including pharmacies and other hospitals. Lifespan Corporation (the parent company and business associate of Lifespan ACE) filed a breach report with OCR and the subsequent investigation indicated systemic noncompliance with HIPAA Rules by Lifespan ACE including (i) a failure to encrypt all devices used for work purposes despite an internal risk analysis that determined the use of encryption was reasonable and appropriate, (ii) a failure to track or inventory all devices that access the network or contain ePHI, and (iii) a failure to have the proper business associate agreements in place between Lifespan Corporation and the provider affiliates that are members of Lifespan ACE.
As part of the corrective action plan, Lifespan ACE must provide HHS (i) a report of the covered entities that are members of the Lifespan ACE, (ii) an accounting of business associate agreements between Lifespan Corporation and provider affiliates of the Lifespan ACE, and (iii) reports regarding the encryption and network access controls implemented on Lifespan ACE devices and equipment.
Along with highlighting the criticality of encryption and device management, OCR’s latest settlement underscores the need for covered entities that form an ACE to carefully analyze all relationships, including their relationship with their ACE parent company, to determine whether they necessitate a business associate agreement. Another critical aspect of OCR’s position appears to be that the failure to encrypt ePHI on laptops continued after Lifespan ACE determined it was reasonable and appropriate to do so. This illustrates that—although foundational—completing a security risk analysis is not enough. Providers must then act on any identified risks and vulnerabilities, implementing security measures sufficient to reduce them to a reasonable and appropriate level in compliance with the HIPAA Security Rule.
 45 C.F.R. § 164.105(b) allows legally separate covered entities under common ownership or control to designate themselves as a single covered entity for purposes of 45 C.F.R. Part 164.