OCR Continues Waving Its HIPAA Enforcement Flag: Don’t Forget About Medical Devices


The day before Thanksgiving, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced the largest resolution agreement of 2015, against Lahey Hospital and Medical Center (Lahey). The incident giving rise to the $850,000 settlement was apparently an isolated theft involving 599 patients with electronic protected health information (ePHI) on a radiology laptop used for CT scans in an unlocked treatment room.

As with all investigations conducted by OCR following a reported breach, OCR identified several areas where the hospital purportedly failed to comply with HIPAA:

  • Failure to conduct a thorough risk analysis of all of its ePHI
  • Failure to physically safeguard a workstation that accessed ePHI
  • Failure to implement and maintain policies and procedures regarding the safeguarding of ePHI maintained on workstations utilized in connection with diagnostic/laboratory equipment
  • Lack of a unique user name for identifying and tracking user identity with respect to the workstation at issue in this incident
  • Failure to implement procedures that recorded and examined activity in the workstation at issue in this incident
  • Impermissible disclosure of 599 individuals’ PHI

Moreover, in addition to the payment of the settlement amount, OCR has in place a two-year corrective action plan (CAP), which requires the hospital to conduct an enterprisewide risk analysis, enhance policy procedures and training, and report policy violations (not just breaches) to OCR for review. Oftentimes the CAP is the most difficult piece of the settlement to address because it sometimes goes beyond what HIPAA actually requires.

After working with clients through over 100 breach investigations by OCR, we have identified several areas that have consistently remained “hot buttons” since the implementation of HITECH in 2009:

  • Mobile device and transmission security.
    • Encryption
    • Device Inventory, Tracking, and Monitoring
    • Facility Security and Theft Prevention
  • Risk Analyses and risk management/mitigation plans.
  • Third-party access to PHI (Business Associates).
  • Staff education and sanctions.

Additionally, there has been a recent focus on safeguards in place to help mitigate or prevent cyberattacks, which include:

  • Intrusion Detection Software
  • Antivirus Software
  • Logging
  • Updating
  • Access Controls
  • Training

Don’t wait until you are in the crosshairs of OCR during a breach investigation to address and document these activities. Additional guidance from HHS on how to protect ePHI on mobile devices can be found here.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© BakerHostetler | Attorney Advertising

Written by:


BakerHostetler on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.