Lifespan Settles with OCR For HIPAA Violations

King & Spalding

On July 27, 2020, HHS issued a press release indicating that Lifespan Health System Affiliated Covered Entity (Lifespan), a non-profit health system in Rhode Island, reached a settlement with the Office for Civil Rights (OCR). Lifespan will pay OCR a $1.04 million monetary penalty and has entered into a Corrective Action Plan with HHS to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA). This is the second settlement that has occurred within the last week between a healthcare provider and OCR due to HIPAA violations, after Metropolitan Community Health Services settled with OCR for $25,000 on July 23, 2020.

The settlement results from the theft of a laptop from a Rhode Island Hospital employee’s car on February 25, 2017. On April 21, 2017, Lifespan Corporation, the parent company and business associate of Lifespan, filed a breach report with OCR regarding the theft. Lifespan ascertained that the employee’s work emails may have been cached in a file on the device’s hard drive, providing the thieves with access to patient names, medical record numbers and other protected health information (PHI). The theft may have allowed access to the data for over 20,000 patients across various Lifespan Corporation provider facilities.

During the course of its investigation regarding the theft, OCR found that Lifespan: (1) had failed to implement policies and procedures to encrypt all devices; (2) did not administer the requisite policies and procedures to track or inventory all devices accessing the network that contain electronic PHI; (3) did not have proper business associate agreements in place between Lifespan Corporation and the Lifespan healthcare provider affiliates that are members of Lifespan; and (4) impermissibly disclosed the PHI of 20,431 individuals.

Within 30 days of the effective date of the Corrective Action Plan, Lifespan must provide HHS with evidence of the status of the Lifespan ACE and what covered entities are members of the ACE. Lifespan has 90 days from the effective date of the Corrective Action Plan to provide proof of encryption and access controls through a report to HHS. Lifespan is also required to revise its policies and procedures regarding its business associate agreements, and it will have to create a standard, BAA template. All Lifespan workforce members with access to electronic PHI are required to receive specific training on the policies and procedures pertaining to device and media controls. The Corrective Action Plan additionally requires Lifespan to be monitored for a total of two years. The entirety of the Corrective Action Plan, which includes additional details regarding Lifespan’s obligations under the agreement can be found here.

The HHS press release is available here.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© King & Spalding | Attorney Advertising

Written by:

King & Spalding

King & Spalding on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.