The United States Department of Health and Human Services (HHS) has closed an investigation into a Rhode Island health system stemming from a 2017 breach. Briefly summarized, Lifespan Health System Affiliated Covered Entity had reported the theft of a laptop with protected health information (PHI). The laptop contained the PHI of 20,431 individual patients. Data included names and medical information.
The laptop was not encrypted. As a result of the investigation, Lifespan will adopt a corrective action plan. It will also be subject to two years of monitoring by the HHS Office for Civil Rights (OCR). And it will pay a million dollar fine.
The OCR investigation found pervasive HIPAA noncompliance with HIPAA obligations throughout the Lifespan system. Despite concluding that laptops should be encrypted, Lifespan failed to do so. It also failed to enter into business associate agreements with multiple related entities. OCR also observed the lack of device and media controls.
Roger Severino, OCR Director, noted that unfortunately laptops, cellphones, and mobile devices are stolen every day. “Covered entities can best protect their patients’ data by encrypting mobile devices to thwart identity thieves,” Severino stated. Mistakes happen. OCR understands that no entity is absolutely “secure” when it comes to data.
But when the entity knows of significant vulnerabilities that may lead to PHI compromise, they must act promptly to mitigate those in good faith. Knowledge of a vulnerability, combined with a failure to remedy it, comes with a high price tag. A million dollars for this incident underscores this point.
The incident is a reminder to all HIPAA regulated organizations, whether covered entities or business associates, of the necessity of encrypting all mobile data devices. The Security Rule pushes encryption. Moreover, access to encrypted data does not constitute a breach. There may be other problems, but a breach wouldn’t be one.