On July 8, 2015, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) and St. Elizabeth’s Medical Center (SEMC) located in Boston, Massachusetts entered into an agreement following an investigation into a complaint regarding their use of an internet-based document sharing application containing electronic protected health information (ePHI). OCR alleged violations by SEMC of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and corresponding regulations. Executed nearly three years after a SEMC workforce member originally submitted a complaint to OCR, the agreement between OCR and SEMC requires SEMC to pay $218,400 to OCR and implement a significant corrective action plan (CAP) focused on alleged deficiencies in SEMC’s HIPAA compliance practices.

The November 16, 2012 complaint alleged that a SEMC internet-based document sharing application stored documents containing ePHI of at least 498 individuals. Subsequently, on August 25, 2014, SEMC notified OCR that a breach of unsecured ePHI stored on a former SEMC workforce member’s personal laptop and USB flash drive affected 595 individuals.

The July 8, 2015 agreement does not contain an admission by SEMC of liability or of any facts or violations; however, it does document OCR claims that SEMC allegedly:

  • disclosed the PHI of at least 1,093 individuals;
  • failed to implement sufficient security measures regarding the transmission of and storage of ePHI to reduce risks and vulnerabilities to a reasonable and appropriate level; and
  • failed to timely identify and respond to a known security incident, mitigate the harmful effects of the security incident, and document the security incident and its outcome.

The allegation that SEMC knew of a security incident and failed to effectively respond to it was an important factor in this settlement.

In the years since OCR first received the 2012 complaint, internet-based shared storage sites—such as Dropbox, Google Drive, and Blackboard Connect—have proliferated. Internet-based storage sites may not meet HIPAA requirements if they use inadequate security controls easily manipulated to allow unauthorized access to ePHI and susceptible to malware and/or harmful social engineering (i.e. fraudulent emails and notifications luring authorized users to grant access to outside parties). In particular, there is risk that multi-device and multi-computer access of some internet-based storage sites could be construed by OCR as failing to protect against reasonably anticipated threats or hazards to the security or integrity of such information. While healthcare entities and their business associates can benefit from the efficiencies that these tools create, they must be vigilant in assuring they are HIPAA compliant. Covered entities should consider restrictions on the use of internet-based shared storage sites outside of the entities’ own IT infrastructure, including prohibitions on storing and transmitting ePHI through non-approved or non-HIPAA compliant sites.

OCR has made the SEMC-OCR agreement available online here. Further, the HHS Office of the National Coordinator for Health Information Technology has published a “Guide to Privacy and Security of Electronic Health Information” found here.