Mass. hospital to pay $850K to settle HIPAA violations
A Massachusetts teaching hospital has agreed to pay $850,000 and implement a robust corrective action plan in a HIPAA settlement with the Department of Health and Human Services' Office for Civil Rights (OCR) as a result of a 2011 theft of a laptop.
Lahey Hospital and Medical Center in Burlington, Mass., notified OCR that a laptop used to operate a portable CT scanner was stolen overnight from an unlocked treatment room on Aug. 11, 2011. The laptop hard drive contained the protected health information (PHI) of 599 patients.
An investigation found several problems with Lahey's privacy and security, including:
- Failure to physically safeguard a workstation that accessed ePHI.
- Failure to implement and maintain policies and procedures to safeguard ePHI maintained on workstations used with diagnostic/laboratory equipment.
- Failure to implement procedures that recorded and examined activity in the workstation at issue in this incident.
"It is essential that covered entities apply appropriate protections to workstations associated with medical devices such as diagnostic or laboratory equipment," said OCR Director Jocelyn Samuels in an announcement. "Because these workstations often contain ePHI and are highly portable, such ePHI must be considered during an entity's risk analysis, and entities must ensure that necessary safeguards that conform to HIPAA's standards are in place."
Editor
Editor Beth earned a bachelor’s degree in journalism and master’s in health communication. She has worked in hospital, academic and publishing settings over the past 20 years. Beth joined TriMed in 2005, as editor of CMIO and Clinical Innovation + Technology. When not covering all things related to health IT, she spends time with her husband and three children.