Although laptop computers are not particularly expensive, losing one can cost a health care provider a lot of money. The Department of Health and Human Services Office for Civil Rights (OCR) has announced a settlement agreement with Lifespan ACE, the largest health care network in Rhode Island. Lifespan ACE has agreed to pay $1,040,000 to OCR and to implement a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules related to the theft of an unencrypted laptop. 

On April 21, 2017, Lifespan Corporation, the parent company and a business associate of Lifespan ACE, filed a breach report with OCR concerning the theft of a hospital employee's laptop containing the electronic protected health information (ePHI) of over 20,000 individuals, including: patients' names, medical record numbers, demographic information, and medication information. The information on the laptop was unencrypted. While no information has come to light that any of the ePHI was misused, the laptop was never recovered.

OCR's investigation determined that there was "systemic noncompliance" with the Privacy and Security Rules including a failure to encrypt ePHI on laptops. OCR also found a lack of device and media controls, and a failure to have a business associate agreement in place with the Lifespan Corporation.

"Laptops, cellphones, and other mobile devices are stolen every day, that's the hard reality. Covered entities can best protect their patients' data by encrypting mobile devices to thwart identity thieves," said Roger Severino, the director of OCR. 

In addition to the monetary settlement, which was over and above the expenses incurred by Lifespan ACE to notify individuals who were affected by the breach, Lifespan ACE agreed to a corrective action plan that includes multiple revisions to Lifespan ACE's policies and procedures, training of employees, and two years of monitoring by OCR.

This incident is yet another reminder of the importance of having effective policies and procedures in place to protect ePHI. Taft's Health Care and Life Sciences attorneys, with support from Taft's Privacy and Data Security attorneys are available to assist health care clients in evaluating their HIPAA compliance.

Originally published 30 July, 2020

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.