Lahey Hospital and Medical Center in Massachusetts will pay $850,000 as part of an HIPAA settlement with the Office for Civil Rights.
Lahey will also adopt a “corrective action plan” to further its HIPAA compliance and provide a risk analysis to the OCR as part of the agreement, according to hhs.gov.
The HIPAA violation was first reported by Lahey in 2011 when a laptop connected to a CT scanner was stolen from an unlocked treatment room. The laptop operated the scanner and produced images of scans, so its hard drive held protected health information.
OCR’s subsequent investigation found several problems with the healthcare facility’s HIPAA compliance, including a failure to conduct a risk analysis of its ePHI and to physically safeguard the workstation containing it; a failure to implement policies to safeguard ePHI kept on workstations connected to laboratory equipment; a failure to identify and track user identity on the workstations; and the theft of 599 patients’ PHI.
RELATED: Ind. Physician Practice Reaches HIPAA Settlement
Lahey is a nonprofit teaching hospital providing primary and specialty care in Burlington, Massachusetts.
The entire resolution agreement and corrective action plan can be found here.