Two separate alleged HIPAA violations resulted in an enforcement action by the Department of Health and Human Services (“HHS”) against a Massachusetts hospital (“Hospital”). On July 10, 2015, the HHS Office for Civil Rights (“OCR”) announced a $218,400 settlement with the Hospital to resolve HIPAA investigations into two issues:
- Use of an internet document sharing application to store documents containing electronic protected health information (“ePHI”) without having analyzed the risks, affecting at least 498 individuals; and
- Breach of a former Hospital workforce member’s personal laptop and USB flash drive containing ePHI, affecting 595 individuals.
The internet application issue was brought to OCR’s attention by a complaint made by Hospital workforce members in October 2012.
The portable device issue was brought to OCR’s attention by the Hospital through a breach notification report in August 2014. On OCR’s list of “Breaches Affecting 500 or More Individuals” (“List”), this incident is described as a theft. (Of note, the OCR List also includes an April 2012 breach by the Hospital involving the loss of hard copy PHI affecting 6,831 individuals, but this incident was not part of the Resolution Agreement.)
Based on specific references in the Corrective Action Plan, the incidents appear to have impacted the Hospital’s Cardiology and Hematology/Oncology Departments.
In the end, OCR determined that the Hospital disclosed the ePHI of a combined total of at least 1,093 individuals, failed to implement sufficient security measures and failed to timely and adequately respond to the security incidents.
To resolve the alleged violations, HHS and the Hospital entered into a Resolution Agreement that requires the Hospital to pay $218,400 and adopt a robust Corrective Action Plan (“CAP”). The CAP requires the Hospital to take several corrective actions, including:
- Conduct a self-assessment within 120 days on its workforce’s familiarity and compliance with Hospital policies and procedures on:
- Transmission of ePHI using unauthorized networks;
- Storage of ePHI on any unauthorized information systems, including unsecured networks and devices;
- Removal of ePHI from the Hospital;
- Prohibition on sharing of accounts and passwords for ePHI access or storage;
- Encryption of portable devices that access or store ePHI; and
- Security incident reporting related to ePHI (“Policies”).
The self-assessment is to include:
- Unannounced site visits at five Hospital departments (including Cardiology);
- Interviews of 15 randomly selected workforce members (including at least three Cardiology and Hematology/Oncology interns, residents or fellows); and
- Inspection of three portable devices.
- Revise Policies as determined necessary by the self-assessment
- Conduct workforce training
- Submit to OCR various compliance reports
In the OCR press release, OCR Director Jocelyn Samuels advised that “organizations must pay particular attention when using internet-based document sharing applications. In order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner.”
“Lessons learned” for covered entities and business associates include reminders to:
- Carefully evaluate web-based or cloud solutions;
- Ensure workforce training covers how to securely transmit ePHI, how to securely store ePHI, the rules on taking ePHI off-site, reminders not to share accounts and passwords and the rules on reporting security incidents;
- Conduct self-audits and periodically check workforce members’ comprehension and compliance with policies and procedures;
- Inspect laptops, smartphones, storage media workstations and other portable devices;
- Block access to high-risk websites; and
- Document all HIPAA compliance efforts to demonstrate the organization’s commitment to prevent and mitigate consequences of breaches.
More information on this enforcement action, including the Resolution Agreement and the HHS press release, is available here.