The day before Thanksgiving, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced the largest resolution agreement of 2015, against Lahey Hospital and Medical Center (Lahey). The incident giving rise to the $850,000 settlement was apparently an isolated theft involving 599 patients with electronic protected health information (ePHI) on a radiology laptop used for CT scans in an unlocked treatment room.
As with all investigations conducted by OCR following a reported breach, OCR identified several areas where the hospital purportedly failed to comply with HIPAA:
- Failure to conduct a thorough risk analysis of all of its ePHI
- Failure to physically safeguard a workstation that accessed ePHI
- Failure to implement and maintain policies and procedures regarding the safeguarding of ePHI maintained on workstations utilized in connection with diagnostic/laboratory equipment
- Lack of a unique user name for identifying and tracking user identity with respect to the workstation at issue in this incident
- Failure to implement procedures that recorded and examined activity in the workstation at issue in this incident
- Impermissible disclosure of 599 individuals’ PHI