Lahey Hospital Agrees to Settle Alleged HIPAA Breach

Recently, Lahey Hospital and Medical Center (Lahey), a nonprofit teaching hospital located in Massachusetts, agreed to settle alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) by paying $850,000 and adopting a robust corrective action plan.

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) first received a HIPAA breach notification from Lahey in October 2011 upon Lahey’s discovery of a stolen laptop.  The laptop in question operated a portable CT scanner and produced images for viewing through Lahey’s radiology information system.  Its hard drive contained unencrypted electronic Protected Health Information (ePHI) of 599 individuals.  OCR investigated the breach and found that Lahey failed to: conduct a thorough risk analysis; safeguard the workstation associated with the CT scanner; and maintain certain required policies and procedures, among other deficiencies.

In addition to agreeing to pay $850,000, Lahey entered into a corrective action plan that will remain in place for 2 years.  The corrective action plan requires Lahey to take certain steps to improve HIPAA compliance.  Specifically, Lahey must conduct a risk analysis, develop and revise certain policies and procedures, train its workforce, alert OCR of instances of suspected noncompliance, and issue annual reports to OCR regarding HIPAA compliance.  Regarding Lahey’s settlement, OCR Director Jocelyn Samuels commented that “it is essential that covered entities apply appropriate protections to workstations associated with medical devices such as diagnostic or laboratory equipment.  Because these workstations often contain ePHI and are highly portable, such ePHI must be considered during an entity’s risk analysis, and entities must ensure that necessary safeguards that conform to HIPAA’s standards are in place.”

This settlement has been added to Cooley’s “Select HIPAA Privacy and Security Enforcement Actions Tracker” that may be accessed on the right side of this page or under the “Resources” tab above.

Leave a comment

Filed under Government Enforcement, Health Information Privacy, Health IT, HIPAA, Privacy and Security

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s