Kusserow on Compliance: OCR continues enforcement involving HIPAA breaches

 2020 Survey found 60 percent of health care organizations had recent OCR encounters

Lifespan to pay $1,040,000 to Settle Unencrypted Stolen Laptop Breach

Although many agencies have taken the Pandemic into consideration when pursuing enforcement actions, this does not mean they have stopped altogether. Everyone was reminded of this with the announcement that Lifespan Health System Affiliated Covered Entity has agreed to pay $1,040,000 to the HHS Office for Civil Rights (OCR) and to implement a corrective action plan with OCR monitoring for 2 years, in order to settle potential violations of the HIPAA Privacy and Security Rules related to the theft of an unencrypted hospital employee’s laptop containing electronic protected health information affecting 20,431 individuals. OCR’s investigation found:

  • Lack of policies and procedures to encrypt all devices used for work purposes.
  • Failure to encrypt ePHI on laptops
  • Lack of device and media controls
  • Failure to have a business associate agreement in place

Going forward, Lifespan must designate at least one individual to ensure that the organization enters into business associate agreements with its business associates. It must also develop a process for evaluating business relationships and determining which vendors should be considered business associates.

It is noteworthy that the 2020 Healthcare Compliance Benchmark Survey Report found respondents reporting more enforcement encounters with OCR than with the OIG or DOJ.  Nearly 60 percent of respondents reported having encounters with the OCR regarding HIPAA breaches in the last few years. The question is no longer whether there will be a HIPAA Breach problem that draws OCR attention, but when it will occur.  The Survey also found was that three quarters of compliance offices now had responsibility for HIPAA Privacy.  This lays the compliance challenge at the feet of Compliance Officers.


Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.