The HHS Office for Civil Rights is sanctioning Lahey Hospital and Medical Center in Massachusetts for what it terms widespread non-compliance with HIPAA privacy and security rules.

As part of the settlement, Lahey has agreed to pay an $850,000 fine and adopt a robust corrective action plan. The sanction is the 28th time OCR has sanctioned a HIPAA-covered entity for non-compliance with privacy and/or security rules.

The fine and corrective action plan stems from the theft of a laptop stolen from an unlocked treatment room in August 2011. The laptop contained limited protected health information on medical imaging examinations for 599 individuals, according to OCR.

In a response to the OCR action, Lahey said the theft was an isolated incident, that it took immediate action to delete patient information and has since hardened security measures.

Also See: Data Breaches: What and When to Disclose

OCR’s subsequent investigation of the incident found a series of failures to comply with HIPAA that included not conducting a through risk analysis of all electronic protected health information; failure to secure a workstation that accessed ePHI; failure to implement and maintain policies and procedures to safeguard ePHI; lack of unique user names for identifying and tracking users; failure to implement procedures to record and examine activity in the workstation; and impermissible disclosure of individuals’ protected health information.

“In addition to the $850,000 settlement, Lahey must address its history of noncompliance with the HIPAA rules by providing OCR with a comprehensive, enterprisewide risk analysis and corresponding risk management plan, as well as reporting certain events and providing evidence of compliance,” OCR said in a statement.

As usual in OCR settlements, the resolution agreement “shall not be construed as an admission of any kind,” by Lahey. However, the medical center shall not contest any obligations under the agreement.

Lahey issued the following statement on the HIPAA settlement to Health Data Management:

“Patient confidentiality is our highest priority. The medical device that was stolen in 2011 contained limited data for approximately 600 patients.  The data consisted of names, birth dates and information relating to a specific imaging test. It did not contain social security, financial or any other patient information. Upon learning of the theft, we immediately remotely deleted data off the device, and notified each patient.  This was an isolated incident and in the more than four years since the device was stolen, we have no indication that any patients’ personal data relating to this situation was accessed. We had a number of security measures in place at the time and have taken steps since to improve upon those measures.”

The resolution agreement is available here.

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access