Health Law Update

Home | Health Law Update

The day before Thanksgiving, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) <a href="http://www.hhs.gov/about/news/2015/11/25/hipaa-settlement-reinforces-lessons-users-medical-devices.html">announced</a> the largest resolution agreement of 2015, against Lahey Hospital and Medical Center (Lahey). The incident giving rise to the $850,000 settlement was apparently an isolated theft involving 599 patients with electronic protected health information (ePHI) on a radiology laptop used for CT scans in an unlocked treatment room.

As with all investigations conducted by OCR following a reported breach, OCR identified several areas where the hospital purportedly failed to comply with HIPAA:
<ul>
	<li>Failure to conduct a thorough risk analysis of all of its ePHI</li>
	<li>Failure to physically safeguard a workstation that accessed ePHI</li>
	<li>Failure to implement and maintain policies and procedures regarding the safeguarding of ePHI maintained on workstations utilized in connection with diagnostic/laboratory equipment</li>
	<li>Lack of a unique user name for identifying and tracking user identity with respect to the workstation at issue in this incident</li>
	<li>Failure to implement procedures that recorded and examined activity in the workstation at issue in this incident</li>
	<li>Impermissible disclosure of 599 individuals’ PHI</li>
</ul>
<strong><a href="http://www.dataprivacymonitor.com/hipaahitech/ocr-continues-waving-its-hipaa-enforcement-flag-dont-forget-about-medical-devices/">Read more &gt;&gt;</a></strong>

OCR Continues Waving Its HIPAA Enforcement Flag: Don’t Forget About Medical Devices