HIPAA Settlement Reinforces Lessons for Users of Medical Devices
October 14th, 2016
It is safe to say that the government has taken off the kid gloves regarding HIPAA penalties. One only has to review the Office of Civil Rights (OCR) press releases and website to see the substantial fines levied for HIPAA violations over the last two years.
For example, Lahey Hospital and Medical Center in Burlington, MA, has agreed to pay $850,000 for such a violation. The hospital has also agreed to a resolution agreement and risk management plan.
The violation involves a laptop that was stolen from an unlocked treatment room. The laptop was on a stand by the portable CT scanner where it was used to produce images for viewing through the Radiology Department’s Information System and Picture Archiving System. The laptop contained the information of 599 patients.
The hospital did not conduct a risk analysis of all its electronic-protected health information (ePHI), nor did it physically safeguard a work station.
The OCR also noted Lahey’s failure to implement adequate policies and procedures, including a policy on how to safeguard ePHI that exists on all workstations used with diagnostic equipment.
This case comes on the heels of another HIPAA breach in which Triple-S Management Corporation agreed to a $3.5 million settlement and to enter into a robust corrective plan.
These cases illustrate recent trends in which violations of HIPAA have resulted in substantial fines. All hospitals and healthcare facilities should be in compliance with HIPAA. Hospitals should ensure that they have a trained and effective HIPAA compliance officer to oversee the program. Staff should be well trained and understand the HIPAA law.
OCR offers a number of free resources. These include a document on how to protect and secure information when using mobile devices. It discusses what to do if a mobile device is stolen. Hospitals and other facilities should conduct an assessment of mobile devices such as laptops and phones. Technology exists that can remotely wipe anything off a mobile device should a theft occur.
For more information, please visit: https://www.healthit.gov/providers-professionals/your-mobile-device-and-health-information-privacy-and-security.
The Resolution Agreement and Corrective Action Plan can be found on the OCR website at: http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/lahey.html.
To read the press release, please visit: http://www.hhs.gov/about/news/2015/11/25/hipaa-settlement-reinforces-lessons-users-medical-devices.html.