The U.S. Department of Health and Human Services Office for Civil Rights (OCR) kicked off the holiday season by publishing a settlement agreement under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) relating to the theft of an unencrypted laptop from a hospital. Lahey Hospital and Medical Center (Lahey), a nonprofit teaching hospital in Massachusetts, agreed to pay $850,000 and adopt a “robust” corrective action plan to resolve possible violations of the HIPAA Privacy and Security Rules.


In October 2011, Lahey notified OCR that an unencrypted laptop containing the electronic protected health information (ePHI) of 599 individuals was stolen two months earlier from an unlocked treatment room. The laptop operated a portable CT scanner used by Lahey to produce diagnostic images for viewing through the hospital’s radiology information system.

According to the OCR, its investigation of the breach indicated Lahey’s “widespread non-compliance” with the HIPAA Privacy and Security Rules including:

  • Failure to conduct a thorough risk analysis of all of its ePHI;
  • Failure to physically safeguard a workstation that accessed ePHI;
  • Failure to implement and maintain policies and procedures regarding the safeguarding of ePHI maintained on workstations used with diagnostic/laboratory equipment;
  • Failure to use unique user names for identifying and tracking user identity for the workstation at issue in this incident; and
  • Failure to implement procedures that recorded and examined activity in the workstation at issue in this incident.

Corrective Action Plan

In addition to paying $850,000 to OCR, Lahey must:

  • Conduct an organization-wide risk analysis of its electronic media, workstations, and information systems and develop a risk management plan to address the risk and vulnerabilities identified by the risk analysis. OCR must approve the risk analysis methodology and risk management plan.
  • Develop or revise written policies and procedures to address compliance failures underlying the breach, which policies and procedures must be pre-approved by OCR and include procedures for:
    • recording the receipt, removal, and disposition, whether external or internal to Lahey’s facility, of hardware and electronic media that maintain ePHI ;
    • ensuring workstations that maintain ePHI used in connection with diagnostic or laboratory equipment are registered with, and under the control of, the hospital’s Information Services Department; and
    • implementing mechanisms that record and examine activity in information systems of workstations that maintain ePHI used in connection with diagnostic or laboratory equipment.
  • Promptly report to OCR any failures by Lahey’s workforce to comply with its policies and procedures.
  • Submit to OCR an implementation report that includes, among other things, an attestation by an officer of the hospital that the policies and procedures have been implemented and an attestation by an officer of the hospital that, based on the officer’s review of the implementation report and reasonable inquiry regarding its content, the officer believes the information is accurate and truthful.


The “robust” requirements of the corrective action plan in the Lahey settlement agreement and the September 2015 settlement agreement with Cancer Care Group, P.C., which involved the theft of unencrypted computer server backup media, demonstrate OCR’s focus on the importance of risk analysis and device and media control policies. These settlement agreements are also a reminder that when investigating a breach, OCR may look beyond the particular incident and review the covered entity’s or business associate’s overall compliance with HIPAA. Based on recent reports by the Department of Health and Human Services Office of Inspector General and OCR’s statements that it will proceed with the next round of HIPAA audits in early 2016, covered entities and business associates should:

  • Review OCR settlement agreements, particularly the Lahey and Cancer Care Group, P.C. agreements, to see if their policies and procedures address device security;
  • Assess whether the entity’s risk analysis needs to be updated given new risks involving devices that have been identified by OCR, the Food and Drug Administration, and other government agencies, such as the ability of hackers to infiltrate hospital systems through medical devices;
  • Assess whether the entity’s risk management plan is current and whether new policies and procedures are needed to address newly identified risks and vulnerabilities associated with mobile and medical devices; and
  • Evaluate whether workforce members who access ePHI are current with their HIPAA training requirements.

For any questions about this blog, please contact the authors.