Massachusetts Lahey Hospital has agreed to pay $850K over a stolen laptop containing the ePHI of 599 individuals. That works out to over $1,400.00 per individual. It goes without saying that the 2011 incident led to an investigation that found numerous instances of noncompliance with HIPAA rules throughout Lahey Hospital, including a failure to conduct a risk analysis on all electronic protected health information (PHI) as well as a failure to safeguard a workstation that had access to ePHI. Equally unremarkable is the fact that the hospital also agreed to implement a corrective action plan that includes a full risk analysis as well as a risk management plan.
The risk of losing mobile devices is real, the lack of encryption is tragic, the apparent norm of a failure to have a proper risk analysis is almost the expected result of an investigation/audit, and the corrective action plan is to be expected.
However this incident traces back to 2011 – before there was heightened awareness of these issues and consequences.
The real issue is the current reality where many small, medium and relatively large Covered Entities think that breaches only happen to others, that they will never have a breach, that the likelihood of a random audit is too remote to worry about, and that they will never have to consider the cost of being wrong. The penalties seem to be rising, the associated legal expense, and ultimately the cost of a compliance agreement as well as reputational cost, may be more than many Covered Entities can sustain.