Hospital Pays $218,400 to OCR for HIPAA Violations

July 15, 2015 | By Lawrence J. Tabas

St. Elizabeth’s Medical Center (“SEMC”), a tertiary care hospital in Brighton, Massachusetts, has agreed to pay $218,400 to the Office for Civil Rights (“OCR”) to settle alleged violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). SEMC will also implement a corrective action plan.

The settlement stems from a 2012 complaint to OCR when SEMC workforce members reported that they used an internet-based document sharing application to store documents containing protected health information (“PHI”). Then in 2014, SEMC reported a separate incident to OCR regarding a breach of unsecured electronic PHI (“ePHI”) stored on a former SEMC workforce member’s personal laptop and USB flash drive.

OCR investigated each incident and found the following:

  1. SEMC disclosed the PHI of at least 1,093 individuals;
  2. SEMC failed to implement sufficient security measures regarding the transmission of and storage of ePHI to reduce risks and vulnerabilities to a reasonable and appropriate level; and
  3. SEMC failed to timely identify and respond to a known security incident, mitigate the harmful effects of the security incident, and document the security incident and its outcome.

OCR Director, Jocelyn Samuels, cautions that “[o]rganizations must pay particular attention to HIPAA’s requirements when using internet-based document sharing applications.” Also, “[i]n order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner.”

As part of the corrective action plan, SEMC must conduct a self-assessment within 120 calendar days of SEMC workforce members’ familiarity and compliance with SEMC policies and procedures addressing the following:

  • transmitting ePHI using unauthorized networks;
  • storing PHI on unauthorized information systems, including unsecured networks and devices;
  • removal of ePHI from SEMC;
  • prohibition on sharing accounts and passwords for ePHI access or storage;
  • encryption of portable devices that access or store ePHI; and
  • security incident reporting related to ePHI.

To read the Resolution Agreement, click here.

To read the OCR Bulletin, click here.

About the Authors

Lawrence J. Tabas


Lawrence is the Chair for Obermayer’s Health Care Law Department and Election Law Practice Group. Lawrence’s Health Care Law legal experience includes the representation of Pennsylvania County governments in Behavioral Health Managed...

Read More by Author