OCR just announced another corrective action plan this month, this time with Lifespan Health Systems Affiliated Covered Entity (Lifespan ACE) of Rhode Island. Lifespan ACE was the victim of a stolen Macbook laptop that received company email, but failed to ensure this device was encrypted. As a result, more than 20,000 people's medical information may be compromised.
OCR settled with Lifespan ACE, who has agreed to pay $1,040,000 and enter into a two-year corrective action plan. This is MUCH more than the cost and time to ensure that all of their portable devices were adequately protected. There are "addressable" Security Rule citations, but we'll bet every time that failing to encrypt data at rest on any computer that can be stolen will bring OCR's full fury.
Click the graphic below to learn more about this case and to apply some hard earned lessons into your HIPAA Security program.
Stay (HIPAA) safe,