Women & Infants Hospital of Rhode Island (WIH) agreed to a $150,000 settlement with the Massachusetts Attorney General to resolve allegations that it failed to protect the personal health information of more than 12,000 Massachusetts residents.
WIH lost 19 unencrypted back-up tapes containing patient names, birth dates, SSNs, ultrasound images, exam dates and physician names. WIH planned to mail the tapes to a data center, and later to another site to transfer data--but that didn't happen.
Due to an "inadequate inventory and tracking system," the tapes went missing, an error that WIH did not discover for months.
OCR is not the only PHI enforcer
You might have noticed that this settlement is not with the Office of Civil Rights (OCR), the division of HHS that enforces HIPAA. This settlement is with the Massachusetts Attorney General. Many states have breach laws too, and those laws have penalties. Because the Rhode Island-based hospital's breach affected more than 12,000 Massachusetts residents, the Massachusetts Attorney General had enforcement authority.
What you can do
In addition to preparing for upcoming OCR audits, providers can learn from the WIH settlement, which requires the hospital to:
- Maintain a current inventory of locations, custodians and descriptions of unencrypted devices with PHI.
- Perform regular secrity audits and take corrective action based on audit findings.
In addition, make sure your HIPAA policies address destruction of media containing ePHI, and that personnel managing electronics are trained to follow these policies. This means following up on the destruction process to make sure all media has been addressed.
Finally, find out if your state has breach notification laws in effect. If so, make sure your breach notification policies and procedures incorporate these requirements.