• Rhode Island Lifespan agreed to pay $ 1.04 million to clear up allegations of a possible HIPAA violation following the theft of an unencrypted laptop.
• In 2017, the nonprofit health care system reported to the HHS Office for Civil Rights that a stolen employee’s MacBook laptop was not encrypted and contained the protected health information of more than 20,000 patients.
• An OCR investigation found that HIPAA was “not consistently compliant” and there was a lack of control over equipment related to this type of issue. According to Lifespan, according to a statement sent to Healthcare Dive, there is no indication that anyone saw or used any information after the incident.
In 2019, OCR reviewed and received improvement plans for 235 events, according to the agency. This is important in 2018, although it is close to the 2016 figure.
According to the OCR, Lifespan agreed to a corrective action plan that includes two years of follow-up.
“Laptops, cell phones, and other mobile devices are stolen every day, this is the harsh reality,” OCR Director Roger Severino said in a statement. The best protection is to hide mobile devices to “prevent identity theft,” Severino added.
According to Lifespan, the laptop in question was stolen from an employee’s car in February 2017.
“Both before the incident and in the past three years, we have taken several steps to further refine our tactics to protect the security and privacy of patient data,” Lifespan said in its statement.
Lifespan is Rhode Island’s largest health care system with five hospitals, including a mental health center, and annual operating revenues of $ 2.4 billion. More recently, Lifespan said the pandemic has resumed merger talks with Care New England, which also has ties to the Brown University School of Medicine.
As providers grapple with the new coronavirus outbreak, OCR announced earlier this year that the office was partially suspending HIPAA enforcement and some have been overwhelmed by patients.