Recently, Lahey Hospital and Medical Center (Lahey), a nonprofit teaching hospital located in Massachusetts, agreed to settle alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) by paying $850,000 and adopting a robust corrective action plan.

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) first received a HIPAA breach notification from Lahey in October 2011 upon Lahey’s discovery of a stolen laptop.  The laptop in question operated a portable CT scanner and produced images for viewing through Lahey’s radiology information system.  Its hard drive contained unencrypted electronic Protected Health Information (ePHI) of 599 individuals.  OCR investigated the breach and found that Lahey failed to: conduct a thorough risk analysis; safeguard the workstation associated with the CT scanner; and maintain certain required policies and procedures, among other deficiencies.

In addition to agreeing to pay $850,000, Lahey entered into a corrective action plan that will remain in place for 2 years.  The corrective action plan requires Lahey to take certain steps to improve HIPAA compliance.  Specifically, Lahey must conduct a risk analysis, develop and revise certain policies and procedures, train its workforce, alert OCR of instances of suspected noncompliance, and issue annual reports to OCR regarding HIPAA compliance.  Regarding Lahey’s settlement, OCR Director Jocelyn Samuels commented that “it is essential that covered entities apply appropriate protections to workstations associated with medical devices such as diagnostic or laboratory equipment.  Because these workstations often contain ePHI and are highly portable, such ePHI must be considered during an entity’s risk analysis, and entities must ensure that necessary safeguards that conform to HIPAA’s standards are in place.”