First Seven-Figure HIPAA Settlement of 2020

Less than one week after announcing only the second HIPAA enforcement action resolution of the year, the Office for Civil Rights (OCR) issued a press release detailing its first seven-figure settlement of 2020.  A non-profit healthcare system in Rhode Island, Lifespan, agreed to pay $1,040,000 and to sign a corrective action plan for alleged systemic HIPAA violations.  As with the two other announced resolutions this year, HIPAA Security Rule violations remain a top concern.  Also, as with the first enforcement action this year, Lifespan neglected to have necessary business associate agreements in place.  

The Lifespan settlement is the result of OCR’s investigation of a 2017 breach involving an unencrypted laptop stolen from a car parked in a public lot on the weekend.  (How many issues can you identify in just that one sentence??)   The employee used the laptop to access emails and those emails may have been cached on the device’s hard drive.  The emails contained the protected health information (PHI) of over 20,000 patients. 

Lifespan’s parent corporation, which is a business associate of Lifespan, filed the breach report in 2017.  Not surprisingly, OCR sought proof that Lifespan and its parent corporation had entered into a business associate agreement.  They had not.  The investigation also uncovered that Lifespan failed to have a policy regarding the encryption of all devices used for work purposes.  OCR’s press release eludes to the fact that Lifespan, likely through a risk analysis, determined that it needed to encrypt all devices but never implemented policies or procedures to do so.  Finally, OCR found that Lifespan failed to implement policies and procedures to track or inventory all devices with access to or that store PHI.

Key takeaways:  (1) Covered entities need business associate agreements with any separate legal entity performing work on its behalf that involves the use of PHI, even a corporate parent; (2) failing to implement measures to address findings in a risk analysis can be just as problematic as not doing a risk analysis at all; and (3) it is important to know which devices are attached to the covered entity’s network or store PHI and to apply security policies to them (or prohibit those devices from accessing the network or storing PHI).

Most important takeaway:  OCR is back at work enforcing HIPAA.