indest1By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

Massachusetts-based Lahey Clinical Hospital Inc. (Lahey) recently entered into a settlement agreement with the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) to resolve potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.  The HHS press office announced on November 25, 2015, that Lahey agreed to pay $850,000 and to adopt an extensive action plan to correct deficiencies in its HIPAA compliance program as a part of a Resolution Agreement.

To read the full Resolution Agreement, click here.

Lahey is a nonprofit teaching hospital affiliated with Tufts Medical School.  It is a covered entity per Section 160.103, 45 Code of Federal Regulations, and thereby required to comply with HIPAA rules.  The medical center provides primary and specialty care to hundreds of thousands of patients each year.

In 2011, Lahey notified HHS that an unencrypted laptop used in connection with a computerized tomography (CT) scanner had been stolen from an unlocked treatment room during overnight hours.  The laptop hard drive contained certain unsecured electronic protected health information (ePHI) of approximately 599 patients.  The OCR notified Lahey of its investigation regarding Lahey’s compliance with HIPAA by way of letter dated November 9, 2011.

To read the full press release issued by HHS on November 25, 2015, click here.

OCR’s Investigation into Lahey’s Conduct.

The OCR claimed that its investigation uncovered Lahey’s widespread non-compliance with HIPAA rules.  Per the terms of the Resolution Agreement, no admission or adjudication of guilt has been determined by Lahey or HHS.  However, the OCR reported to Lahey that its investigation indicated the following potential HIPAA violations:

(1)    Failure to conduct a thorough risk analysis of all of its ePHI as part of its security management process (section 164.308(a)(1)(ii)(A), 45 Code of Federal Regulations (C.F.R.));

(2)    Failure to implement reasonable and appropriate physical safeguards for a workstation that accessed ePHI to restrict access to authorized users only (section 164.310(c), 45 C.F.R.);

(3)    With respect to the workstation, failure to implement and maintain policies and procedures that govern the receipt and removal of hardware and electronic media that contain ePHI, including the movement of these items within its facility (section 164.310(d)(1), 45 C.F.R.);

(4)    Failure to assign a unique user name for identifying and tracking user identity with respect to the workstation at issue (section 164.312(a)(2)(i), 45 C.F.R.);

(5)    Failure to implement a mechanism to record and examine activity at the workstation at issue (section 164.312(b), 45 C.F.R.); and

(6)    Impermissible disclosure of the ePHI of 599 patients for a purpose not permitted by the Privacy Rule (section 164.502(a), 45 C.F.R.).

The Implementation of a Corrective Action Plan.

Lahey agreed to enter into a Corrective Action Plan (CAP) with HHS as a part of the settlement.  In accordance with the CAP, Lahey has agreed to certain action obligations to be completed within specific time frames.  Lahey is expected to fully and timely comply with all provisions contained in the CAP.  Should Lahey breach any of the provisions contained in the CAP, it is offered a limited amount of time to correct the breach in order to avoid civil monetary penalties (CMP) pursuant to section 160.312(a)(3)(i) and (ii), 45 C.F.R.

For more information on penalties resulting from failure to comply with HIPAA, click here read one of my previous blogs.

HIPAA is a Tricky Situation.  

With the rise of the use of technological devices for personal and professional purposes, HIPAA violations are now resulting from seemingly innocent behavior that actually constitutes a breach.  It is important to be aware of what all HIPAA encompasses and how to safeguard yourself and your workplace from blindly falling into its snare.  Click here to read an informative and eye-opening blog post by The Sentinel Watch regarding various HIPAA perils for health care professionals that aren’t so obvious.

HHS recently issued a HIPAA fact sheet to assist health care professionals and organizations.  To review the document providing a basic overview of HIPAA’s rules and your responsibilities as a licensed health care professional, click here.

For even more information on HIPAA basics and the implementation of safeguards, read one of my previous blog posts here.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other health care providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, or corrective action plans , please visit our website at or call (407) 331-6620.


HHS Press Office.  “HIPAA Settlement Reinforces Lessons for Users of Medical Devices.”  Press Release.  U.S. Department of Health & Human Services: 25 Nov. 2015.  Web.  3 Dec. 2015.

Resolution Agreement, 1-2, Nov. 19, 2015.

Appendix A: Corrective Action Plan, 2 & 6, Nov. 19, 2015.

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.

KeyWords: Health Insurance Portability and Accountability Act (HIPAA), HIPAA, HIPAA compliance, data security, protected health information (PHI), electronic protected health information (ePHI), Patient privacy, U.S. Department of Health and Human Services (HHS), Office of Civil Rights (OCR), patient rights, HIPAA compliance audit, HIPAA violation, penalties for HIPAA violation, criminal penalties for HIPAA violation, civil penalties for HIPAA violation, civil monetary penalties for HIPAA breach, HIPAA compliance, privacy, defense attorney, HIPAA defense lawyer, health care professional attorney, HIPAA defense attorney, HIPAA violation help, HIPAA attorney, HIPAA lawyer, compliance plans, health law firm, The Health Law

“The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999.
Copyright © 1996-2015 The Health Law Firm. All rights reserved.