On April 21, 2017, Lifespan Corporation filed a breach report with the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) concerning the theft of a hospital employee’s laptop containing electronic protected health information (ePHI) including: patients’ names, medical record numbers, demographic information, and medication information. The breach affected 20,431 individuals.
Lifespan Corporation is the parent company and business associate of Lifespan Health System Affiliated Covered Entity (Lifespan ACE). However, OCR’s investigation also found that Lifespan ACE failed to have a business associate agreement (BAA) in place with Lifespan Corporation.
As reported in Becker’s Hospital Review, Lifespan notified patients on April 21, 2017 about the breach which occurred when a Lifespan employee’s car was broken into on February 25th. Several items were stolen, including a MacBook laptop the employee used for work purposes.
SEE ALSO: HIPAA Fines caused by Stolen Laptops
A Lifespan internal investigation found the stolen laptop was unencrypted and not password protected, meaning the employee’s work emails were potentially accessible.
OCR also uncovered that Lifespan did not have device and media controls, nor had the company signed a BAA with its parent company, Lifespan Corporation.
As a result of this, Lifespan must pay a $1,040,000 HIPAA fine. Lifespan has also agreed to a corrective action plan that includes two years of monitoring.
HHS Wall of Shame
Don’t let this happen to you
We recommend a two-pronged approach to avoid such high HIPAA fines due to stolen laptops.
1. Make sure every laptop in your organization has an encrypted hard drive
As one option, Microsoft provides BitLocker for free with certain versions of Windows.
The MacOS also includes a utility called FileVault 2 to encrypt the contents of a hard drive.
SEE ALSO: Free Disk Encryption for Mac OS
2. Send secure email from any device
In today’s society employees, regardless of profession, will take their work home with them. Just like everyone else, employees of covered entities need to be able to send secure email anytime, anywhere.
That’s where Paubox comes in. Paubox Email Suite allows users to send HIPAA compliant email directly to patient’s email boxes, no passwords or portals required. It integrates directly with a customer’s existing email provider, so users do not need to change their workflow in any way to maintain HIPAA compliance.
In addition, Paubox will sign a BAA with any and all customers.
Paubox Email Suite Premium offers additional features, such as inbound email security to protect against email spoofing, phishing attempts, and malware attacks. It also includes email data loss prevention tools which ensure that employees do not send sensitive or critical information outside of a corporate network.
We understand the HIPAA landscape and we are here to help with your compliance needs.