On July 27, 2020, the Office for Civil Rights (OCR) published a Resolution Agreement (RA) with a Rhode Island based covered entity.
This RA reported Lifespan ACE, which includes three academic teaching hospitals in Rhode Island, filed a breach notification with the OCR concerning the theft of an unencrypted laptop. The unencrypted laptop was stolen from an affiliated hospital employee’s car on Saturday, February 25, 2017 while parked in a public parking lot. Lifespan ascertained the employee’s emails were cached in a file on the device’s hard drive, noting the thieves had access to patient names, medical record numbers, demographic information, including partial address information, and the name of one or more medication prescribed or administered to the patients. The breach affected 20,431 individuals across provider facilities, including Rhode Island Hospital, Lifespan Pharmacy, LLC, retail pharmacies and affiliated hospitals of Lifespan. The RA resulted in the company agreeing to pay the Department of Health and Human Services (HHS) $1,040,000 while entering into a Corrective Action Plan (CAP).
What Were OCR's Findings?
- Lifespan did not implement policies and procedures to encrypt all devices used for work purposes.
- Lifespan did not implement policies and procedures to track or inventory all devices that access the network or contain ePHI.
- Lifespan did not have the proper business associate agreements in place between Lifespan Corporation and the Lifespan healthcare provider affiliate that are members of the Lifespan ACE.
- Lifespan impermissibly disclosed the PHI of 20,431 individuals.
What Must Occur?
Because Lifespan has entered into a CAP with OCR, Lifespan is required to:
- Designate one or more individual(s) to be responsible for ensuring Lifespan enters into business associate agreements with all business associates prior to disclosing PHI to the business associate. This includes current and future business associates.
- Submit to HHS policies and procedures on accounting for all business associates within 60 days.
- Provide proof of encryption and access controls, within 90 days, by submitting a written report or reports to HHS. This includes the status of encryption of Lifespan devices and an update of the Network Access Controls report. The report includes the number of electronic media, date of encryption, and includes but is not limited to desktop computers, laptop computers, tables, mobile telephones, USB drives, and medical equipment, which may be utilized to store, create, maintain, or transmit Lifespan ePHI.
- Provide supportive documentation of a Mobile Device Management (MDM) solution to ensure all Lifespan-owned and personally owned mobile devices are encrypted.
- Review and revise written policies and procedures as it pertains to Device and Media Controls within 45 days and submit to HHS for approval.
- Self-report to OCR any workforce violation of the HIPAA policies or provisions of the CAP.
- Provide annual reports to OCR in accordance with the RA.
What Should You Do?
- Begin conducting your Security Risk Analysis annually, if you are not already doing so, to ensure you are continually managing the risks related to your company’s current systems. Be sure to include Access Controls and inventory all devices where ePHI can be located, including personally owned devices.
- Create a process to ensure encryption or an encryption equivalent process is in place for all devices accessing, transmitting, storing, or creating ePHI.
- Create a Bring Your Own Device Policy when staff are utilizing personally owned devices to access, store, maintain or transmit PHI.
- Ensure a process and designee is in charge of inventorying all business associates and ensuring business associate agreements are in place prior to disclosing PHI.
- Establish a routine HIPAA security audit process to monitor system and network activity for possible attacks or unauthorized data access from external threats.
- Review staff training materials to confirm it reflects the workforce roles, rights, and access levels to reduce insider threats. Insider threats continue to remain one of highest threats to our data systems.
- Institute a sanction process to take disciplinary steps when workforce privacy and security violations occur.
- Consider Data Penetration or Intrusion testing, to ensure your data cannot be accessed by external threats and software vulnerabilities.
LW Consulting, Inc. (LWCI) has experienced professionals that can help review your organization’s HIPAA Security policies and procedures and review your data systems to ensure they are protected. LWCI also offers HIPAA Security Policies and a step-by-step integration process. For more information on our HIPAA Security Policies & Procedures Package, visit the LWCI Store.
For more information or to discuss Data Penetration and Intrusion testing, contact Deborah Alexander at 717-213-3123 or email DAlexander@LW-Consult.com.