Hospital Pays $218,400 to OCR for HIPAA Violations
St. Elizabeth’s Medical Center (“SEMC”), a tertiary care hospital in Brighton, Massachusetts, has agreed to pay $218,400 to the Office for Civil Rights (“OCR”) to settle alleged violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). SEMC will also implement a corrective action plan.
The settlement stems from a 2012 complaint to OCR when SEMC workforce members reported that they used an internet-based document sharing application to store documents containing protected health information (“PHI”). Then in 2014, SEMC reported a separate incident to OCR regarding a breach of unsecured electronic PHI (“ePHI”) stored on a former SEMC workforce member’s personal laptop and USB flash drive.
OCR investigated each incident and found the following:
- SEMC disclosed the PHI of at least 1,093 individuals;
- SEMC failed to implement sufficient security measures regarding the transmission of and storage of ePHI to reduce risks and vulnerabilities to a reasonable and appropriate level; and
- SEMC failed to timely identify and respond to a known security incident, mitigate the harmful effects of the security incident, and document the security incident and its outcome.
OCR Director, Jocelyn Samuels, cautions that “[o]rganizations must pay particular attention to HIPAA’s requirements when using internet-based document sharing applications.” Also, “[i]n order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner.”
As part of the corrective action plan, SEMC must conduct a self-assessment within 120 calendar days of SEMC workforce members’ familiarity and compliance with SEMC policies and procedures addressing the following:
- transmitting ePHI using unauthorized networks;
- storing PHI on unauthorized information systems, including unsecured networks and devices;
- removal of ePHI from SEMC;
- prohibition on sharing accounts and passwords for ePHI access or storage;
- encryption of portable devices that access or store ePHI; and
- security incident reporting related to ePHI.
To read the Resolution Agreement, click here.
To read the OCR Bulletin, click here.