Last week, St. Elizabeth’s Medical Center (SEMC), a hospital located in Brighton, Massachusetts, agreed to settle alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) by paying $218,400 and adopting a robust corrective action plan.
The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) first received a complaint regarding SEMC’s potential noncompliance with HIPAA on November 16, 2012. Specifically, this complaint described SEMC’s internet-based document sharing application used to store documents containing Protected Health Information (PHI), even though the risks of such practice had not been analyzed. Additionally, OCR received a breach notification from SEMC on August 25, 2014, regarding 595 individuals’ PHI stored on a former workforce member’s personal laptop and flash drive. OCR investigated both the complaint and the breach report separately and found that SEMC: improperly disclosed the PHI of at least 1,093 individuals; failed to implement sufficient security measures regarding transmission and storage of electronic PHI; and failed to respond to a known security incident in the proper manner.
In addition to agreeing to pay $218,400, SEMC entered into a corrective action plan lasting 1 year. Pursuant to this corrective action plan, SEMC agreed to conduct a self-assessment regarding certain areas of HIPAA compliance; update its HIPAA policies, procedures , and training as needed; and report certain non-compliance of workforce members to OCR. OCR Director Jocelyn Samuels emphasized the importance of this settlement with respect to internet based document sharing solutions. “Organizations must pay particular attention to HIPAA’s requirements when using internet-based document sharing applications. In order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner.”