On July 10, 2015, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced a substantial settlement with St. Elizabeth’s Medical Center (SEMC). Under the terms of the settlement, the hospital agreed to pay $218,400 in fines and abide by a lengthy corrective action plan detailed in a resolution agreement.
The SEMC settlement comes after an OCR investigation revealed potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules. OCR opened its investigation following a complaint alleging that the hospital was using an Internet-based document-sharing application to store documents containing electronic protected health information (ePHI) without having analyzed the risks associated with such a practice. OCR also was notified of a separate breach related to ePHI stored on a former workforce member’s unsecured personal laptop and USB flash drive. These violations compromised a total of 1,093 individuals’ ePHI.
In addition to paying $218,400, the hospital agreed to implement an extensive assessment and revision of all policies and procedures related to electronic storage and transmission of ePHI. Any and all proposed revisions of SEMC data privacy policies must be submitted to HHS for review and approval. In addition, SEMC has agreed to promptly investigate all “reportable events,” or instances where a workforce member has failed to comply with data privacy policies. All reportable events must be submitted immediately to HHS for review and after one year, SEMC also must submit a summary of all reportable events, along with actions taken to mitigate harm and prevent recurrence. The hospital also must submit an attestation that all workforce members have completed all required trainings relating to ePHI.
The recent SEMC settlement is another example of increased emphasis that OCR is placing on security of PHI stored and transmitted electronically. Following this incident, OCR Director Jocelyn Samuels warned that "[o]rganizations must pay particular attention to HIPAA's requirements when using internet-based document sharing applications."