On April 21, 2017, Lifespan Corporation filed a breach report with the Office for Civil Rights ( OCR) at the U.S. Department of Health and Human Services ( HHS) concerning the theft of a hospital employee’s laptop containing electronic protected health information ( ePHI) including: patients’ names, medical record numbers, demographic information, and medication information. The breach affected 20,431 individuals. Lifespan Corporation is the parent company and business associate of Lifespan Health System Affiliated Covered Entity (Lifespan ACE). However, OCR's investigation also found that Lifespan ACE failed to have a business associate agreement ( BAA) in place with Lifespan Corporation.
What happened?As reported in Becker's Hospital Review, Lifespan notified patients on April 21, 2017 about the breach which occurred when a Lifespan employee's car was broken into on February 25th. Several items were stolen, including a MacBook laptop the employee used for work purposes. SEE ALSO: HIPAA Fines caused by Stolen Laptops A Lifespan internal investigation found the stolen laptop was unencrypted and not password protected, meaning the employee's work emails were potentially accessible.
ConsequencesOCR’s investigation determined that there was systemic noncompliance with the HIPAA Privacy Rule and HIPAA Security Rule, including a failure to encrypt ePHI on laptops. OCR also uncovered that Lifespan did not have device and media controls, nor had the company signed a BAA with its parent company, Lifespan Corporation. As a result of this, Lifespan must pay a $1,040,000 HIPAA fine. Lifespan has also agreed to a corrective action plan that includes two years of monitoring.
HHS Wall of ShamePursuant to section 13402 of the HITECH Act, the HHS Secretary is required to post a list of ePHI or PHI breaches affecting 500 or more individuals. The HHS Wall of Shame lists all breaches reported within the last 24 months. It includes HIPAA breaches that the OCR is currently investigating.
Don't let this happen to you
We recommend a two-pronged approach to avoid such high HIPAA fines due to stolen laptops.
1. Make sure every laptop in your organization has an encrypted hard drive
As one option, Microsoft provides BitLocker for free with certain versions of Windows. SEE ALSO: Free Windows Encryption tools for HIPAA Compliance The MacOS also includes a utility called FileVault 2 to encrypt the contents of a hard drive. SEE ALSO: Free Disk Encryption for Mac OS
2. Send secure email from any device
In today’s society employees, regardless of profession, will take their work home with them. Just like everyone else, employees of covered entities need to be able to send secure email anytime, anywhere. SEE ALSO: Cybersecurity Challenges of Remote Working That’s where Paubox comes in. Paubox Email Suite allows users to send HIPAA compliant email directly to patient's email boxes, no passwords or portals required. It integrates directly with a customer's existing email provider, so users do not need to change their workflow in any way to maintain HIPAA compliance. In addition, Paubox will sign a BAA with any and all customers. Paubox Email Suite Premium offers additional features, such as inbound email security to protect against email spoofing, phishing attempts, and malware attacks. It also includes email data loss prevention tools which ensure that employees do not send sensitive or critical information outside of a corporate network. We understand the HIPAA landscape and we are here to help with your compliance needs.