On June 10, 2015, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), announced that it had entered into a resolution agreement with St. Elizabeth’s Medical Center (St. Elizabeth’s), a Massachusetts hospital, to resolve potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules.  As part of the settlement, St. Elizabeth’s agreed to pay $218,000 and implement a corrective action plan to address identified deficiencies in its HIPAA compliance program.

This settlement is the result of OCR’s investigation into two separate incidents involving St. Elizabeth’s:

  • An investigation into St. Elizabeth’s use of an internet-based document sharing application to store documents containing protected health information (“PHI”) of approximately 500 individuals, initiated in response to a complaint received in November 2012; and
  • Based on St. Elizabeth’s required notification to OCR in August 2014, an investigation into a breach of unsecured PHI relating to St. Elizabeth’s finding PHI for approximately 600 individuals stored on a former workforce member’s personal laptop and USB flash drive.

While the information provided by OCR makes it difficult to determine exactly how much of the liability arose from each incident, OCR’s main focus appears to have been on the use of the internet-based document sharing application, most likely because St. Elizabeth’s has stated that there has been no indication that any patient data on the former workforce member’s personal laptop has been viewed or misused in any way.  Regardless of how the resolution amount was reached, this settlement provides a useful reminder to health care providers, other covered entities, and business associates about the importance of analyzing the risks associated with using internet-based applications, having in place robust information system security policies, and promptly identifying, responding to, and mitigating identified security incidents and other breaches.  Arent Fox discussed other, related risks arising from the intersection of health care and technology in this recent blog post and in our October 2014 Importance of Protecting Your Health Care Organization Against a Cybercrime Attack seminar.

A copy of OCR’s press release is available here.

A copy of the Resolution Agreement is available here.