La­hey com­puter theft leads to HIPAA set­tle­ment

Modern Healthcare - - REGIONAL NEWS - —Joseph Conn

La­hey Hos­pi­tal and Med­i­cal Cen­ter has agreed to pay $850,000 in a set­tle­ment with HHS’ Of­fice for Civil Rights to re­solve al­leged pri­vacy and se­cu­rity vi­o­la­tions stem­ming from the theft of a lap­top com­puter with un­en­crypted pa­tient records. The Burling­ton, Mass.-based sys­tem also en­tered into a cor­rec­tive-ac­tion plan to ad­dress other pri­vacy and se­cu­rity is­sues raised dur­ing the breach probe.

Ac­cord­ing to the set­tle­ment, La­hey re­ported to the fed­eral agency on Oct. 11, 2011, that an un­en­crypted lap­top used with a CT scan­ner was stolen from an un­locked treat­ment room in La­hey’s ra­di­ol­ogy depart­ment.

La­hey “im­per­mis­si­bly dis­closed” the elec­tronic med­i­cal records of 599 indi- vid­u­als “for a pur­pose not per­mit­ted by the pri­vacy rule” un­der the Health In­sur­ance Porta­bil­ity and Ac­count­abil­ity Act, the agency al­leges in the agree­ment.

It also al­leged that La­hey failed to meet other HIPAA re­quire­ments, in­clud­ing not con­duct­ing “an ac­cu­rate and thor­ough” se­cu­rity-risk anal­y­sis, fail­ing to as­sign “a unique user­name for iden­ti­fy­ing and track­ing user iden­tity” on the com­puter, and fail­ing to “im­ple­ment a mech­a­nism to record and ex­am­ine ac­tiv­ity” on the com­puter.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.