The day before Thanksgiving, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced the largest resolution agreement of 2015, against Lahey Hospital and Medical Center (Lahey). The incident giving rise to the $850,000 settlement was apparently an isolated theft involving 599 patients with electronic protected health information (ePHI) on a radiology laptop used for CT scans in an unlocked treatment room.
As with all investigations conducted by OCR following a reported breach, OCR identified several areas where the hospital purportedly failed to comply with HIPAA:
Moreover, in addition to the payment of the settlement amount, OCR has in place a two-year corrective action plan (CAP), which requires the hospital to conduct an enterprisewide risk analysis, enhance policy procedures and training, and report policy violations (not just breaches) to OCR for review. Oftentimes the CAP is the most difficult piece of the settlement to address because it sometimes goes beyond what HIPAA actually requires.
After working with clients through over 100 breach investigations by OCR, we have identified several areas that have consistently remained “hot buttons” since the implementation of HITECH in 2009:
Additionally, there has been a recent focus on safeguards in place to help mitigate or prevent cyberattacks, which include:
Don’t wait until you are in the crosshairs of OCR during a breach investigation to address and document these activities. Additional guidance from HHS on how to protect ePHI on mobile devices can be found here.