Alleged HIPAA Violations Resulted from Medical Center’s Failure to Risk Assess Internet-Based Document Sharing Application and Inadequate Breach Response

The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) reached a settlement in the form of a Resolution Agreement and Corrective Action Plan (CAP) with St. Elizabeth’s Medical Center (SEMC) in July arising out of two alleged security breach incidents in violation of the HIPAA Security Rule. While the settlement amount paid pursuant to the Resolution Agreement was relatively small in comparison to other recent Resolution Agreements announced by OCR, this one is notable for the fact that one of the breaches related to SEMC’s use of an internet-based document sharing application. According to the complaint filed with OCR, SEMC workforce members used an internet-based document sharing application to store documents containing electronic protected health information (ePHI) of at least 498 individuals.  However, it appears that this practice and the cloud-based document sharing application itself were not included in SEMC’s risk analysis of “the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information,” as required under HIPAA at 45 C.F.R. § 164.308. OCR determined from its investigation that SEMC not only failed to risk assess the application, but it also failed to timely identify and respond once it became aware of its employees’ practice of storing ePHI on the application, failed to mitigate the harmful effects of the incident, and failed to document the security incident and its outcome.     

This settlement highlights a potential gap in many covered entities’ and business associates’ HIPAA compliance. Cloud-based document sharing applications are in wide use across all types of businesses, and health care providers, health plans, and their business associates are no exception. Covered entities and business associates must be careful to account for such applications, which include Dropbox and Google Drive, in their risk analysis. Crucially, the “comprehensive and thorough” risk analysis required under HIPAA must be based on a complete inventory of systems and applications that access or store an organization’s ePHI. 

Swift investigation and mitigation of any known or suspected breach of ePHI, following a documented incident response plan, is also a key component of any covered entity or business associate’s HIPAA compliance. As highlighted here, an organization’s failure to document those protocols, or failure to follow documented incident response protocols, may expose it to as much liability as the breach incident itself. OCR Director Jocelyn Samuels warned in the press release accompanying the settlement announcement: “Organizations must pay particular attention to HIPAA’s requirements when using internet-based document sharing applications. In order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner.”       

The settlement amount also covered a potential breach arising from unsecured ePHI stored on a former SEMC workforce member’s personal laptop and USB flash drive, which was reported by SEMC itself to OCR in 2014. This incident affected 595 individuals.

 A copy of the Resolution Agreement and CAP are available on the OCR website, here.