On July 27, 2020, HHS issued a press release indicating that Lifespan Health System Affiliated Covered Entity (Lifespan), a non-profit health system in Rhode Island, reached a settlement with the Office for Civil Rights (OCR). Lifespan will pay OCR a $1.04 million monetary penalty and has entered into a Corrective Action Plan with HHS to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA). This is the second settlement that has occurred within the last week between a healthcare provider and OCR due to HIPAA violations, after Metropolitan Community Health Services settled with OCR for $25,000 on July 23, 2020.

The settlement results from the theft of a laptop from a Rhode Island Hospital employee’s car on February 25, 2017. On April 21, 2017, Lifespan Corporation, the parent company and business associate of Lifespan, filed a breach report with OCR regarding the theft. Lifespan ascertained that the employee’s work emails may have been cached in a file on the device’s hard drive, providing the thieves with access to patient names, medical record numbers and other protected health information (PHI). The theft may have allowed access to the data for over 20,000 patients across various Lifespan Corporation provider facilities.

During the course of its investigation regarding the theft, OCR found that Lifespan: (1) had failed to implement policies and procedures to encrypt all devices; (2) did not administer the requisite policies and procedures to track or inventory all devices accessing the network that contain electronic PHI; (3) did not have proper business associate agreements in place between Lifespan Corporation and the Lifespan healthcare provider affiliates that are members of Lifespan; and (4) impermissibly disclosed the PHI of 20,431 individuals.

Within 30 days of the effective date of the Corrective Action Plan, Lifespan must provide HHS with evidence of the status of the Lifespan ACE and what covered entities are members of the ACE. Lifespan has 90 days from the effective date of the Corrective Action Plan to provide proof of encryption and access controls through a report to HHS. Lifespan is also required to revise its policies and procedures regarding its business associate agreements, and it will have to create a standard, BAA template. All Lifespan workforce members with access to electronic PHI are required to receive specific training on the policies and procedures pertaining to device and media controls. The Corrective Action Plan additionally requires Lifespan to be monitored for a total of two years. The entirety of the Corrective Action Plan, which includes additional details regarding Lifespan’s obligations under the agreement can be found here.

The HHS press release is available here.