Health Law Gurus

Hospital Pays $218,400 to OCR for HIPAA Violations

July 15, 2015 | By Lawrence J. Tabas

St. Elizabeth’s Medical Center (“SEMC”), a tertiary care hospital in Brighton, Massachusetts, has agreed to pay $218,400 to the Office for Civil Rights (“OCR”) to settle alleged violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). SEMC will also implement a corrective action plan.

The settlement stems from a 2012 complaint to OCR when SEMC workforce members reported that they used an internet-based document sharing application to store documents containing protected health information (“PHI”). Then in 2014, SEMC reported a separate incident to OCR regarding a breach of unsecured electronic PHI (“ePHI”) stored on a former SEMC workforce member’s personal laptop and USB flash drive.

OCR investigated each incident and found the following:

  1. SEMC disclosed the PHI of at least 1,093 individuals;
  2. SEMC failed to implement sufficient security measures regarding the transmission of and storage of ePHI to reduce risks and vulnerabilities to a reasonable and appropriate level; and
  3. SEMC failed to timely identify and respond to a known security incident, mitigate the harmful effects of the security incident, and document the security incident and its outcome.

OCR Director, Jocelyn Samuels, cautions that “[o]rganizations must pay particular attention to HIPAA’s requirements when using internet-based document sharing applications.” Also, “[i]n order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner.”

As part of the corrective action plan, SEMC must conduct a self-assessment within 120 calendar days of SEMC workforce members’ familiarity and compliance with SEMC policies and procedures addressing the following:

  • transmitting ePHI using unauthorized networks;
  • storing PHI on unauthorized information systems, including unsecured networks and devices;
  • removal of ePHI from SEMC;
  • prohibition on sharing accounts and passwords for ePHI access or storage;
  • encryption of portable devices that access or store ePHI; and
  • security incident reporting related to ePHI.

To read the Resolution Agreement, click here.

To read the OCR Bulletin, click here.

Categorized In: Compliance Issues, Covered Entities, HIPAA, Privacy, Security

About the Authors

Lawrence Tabas

Lawrence J. Tabas

Partner

Lawrence is the Chair for Obermayer’s Health Care Law Department and Election Law Practice Group. Lawrence’s Health Care Law legal experience includes the representation of Pennsylvania County governments in Behavioral Health Managed...

Read More by Author

Read Next

Telemedicine
12.31.2020  |  Alina Chuklin, Lawrence J. Tabas, Sydney N. Melillo

New Audio-Only Telemedicine Bill to Expand Telehealth Beyond the Pandemic

Guest Contributor population health strategies health data
06.12.2019

TRANSPARENCY: How Healthcare Providers Are Using Data To Advance Population Health Strategies

Guest Contributor
05.22.2019

TRANSPARENCY: Embracing CMS’s Push To Publicize Your Organization’s Performance