The day before Thanksgiving, the HHS Office of Civil Rights (OCR) announced its first settlement involving a reported data breach implicating security of medical devices used in the hospital setting. OCR’s $850,000 settlement and resolution agreement with Lahey Hospital and Medical Center (LHMC) stem from the theft of a laptop workstation used to operate and produce images from a portable CT scanner from an unlocked treatment room on August 11, 2011.
Consistent with OCR’s past practice, OCR launched in-depth investigations that uncovered additional alleged HIPAA Security Rule violations following LHMC’s required breach reports to OCR. As part of its resolution agreement, LHMC agreed to update its security policies and procedures and comply with extensive training and reporting requirements conditions of a corrective action plan for two years.
The LHMC resolution is especially noteworthy for several reasons. At the outset, it is the first OCR resolution specifically involving a medical device in a hospital setting, as opposed to ePHI that hospitals store in EMRs/EHRs. Second, the number of individuals affected was relatively low compared to other incidents with comparably large settlements (only 600 people), which shows OCR is focused equally on large and small incidents.
OCR’s security deficiency allegations in the LHMC resolution are important for hospitals and health systems because they focus predominantly on the medical device workstation’s vulnerabilities. OCR’s press release alleged that LHMC failed to physically safeguard the workstation, lacked policies and procedures, and neglected to utilize unique user names to identify and track access to and activity on the workstation.
As illustrated by the LHMC settlement, medical device privacy and security is a critical issue that will continue to be a target for regulatory oversight. These findings provide insight into OCR’s expectations regarding appropriate health information security protocols for medical devices located in hospitals and other facilities. Hospitals and other covered entities that utilize medical devices should carefully evaluate their HIPAA compliance with respect to these important medical tools, as part of the required security risk assessment.
Less than a week after the LHMC settlement, OCR also announced a separate $3.5 million settlement and resolution agreement with Triple-S Management Corporation (TSMC), a holding company for multiple insurance entities in Puerto Rico. The settlement alleged a wide range of HIPAA Privacy and Security Rule violations related to seven incidents of unauthorized PHI disclosures reported by TSMC’s wholly-owned subsidiaries between 2010-2015. As part of the resolution, TSMC agreed to implement an extensive three-year corrective action plan. The close proximity in time between the two settlement announcements may signal that OCR intends to step up enforcement in the coming months.