Massachusetts Hospital Agrees to Six-Figure Payment Related to HIPAA Compliance Allegations

Bruce Armon, Evan Foster
Saul Ewing LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Summary

St. Elizabeth’s Medical Center (SEMC), a tertiary care hospital based in Brighton, Mass., agreed to pay $218,400 to address deficiencies in its HIPAA compliance activities. The SEMC settlement continues a pattern of enforcement actions from the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) against hospitals and medical practices related to HIPAA compliance.

In November 2012, OCR received a complaint from members of SEMC’s workforce that SEMC was using an internet-based document sharing application that stored documents containing electronic protected health information (ePHI) of almost five hundred people without analyzing the risks of doing so. Separately, in August 2014, SEMC notified OCR of a breach of unsecured ePHI from a former SEMC workforce member’s personal laptop and flash drive that affected approximately 600 individuals.

In addition to the monetary payment, SEMC agreed to enter into a one-year corrective action plan (CAP) with OCR. The CAP requires SEMC to perform a self-assessment addressing six different protocols relating to ePHI, unannounced visits to five SEMC departments to assess the implementation of the required policies and procedures, at least 15 interviews with a diverse cross-section of SEMC workforce members who have access to ePHI, and the inspection of at least three portable devices in each of the five SEMC departments that are the subject of the unannounced visits. SEMC is required to provide a self-assessment report to HHS, as well as an implementation report within one year after the effective date of the CAP.

HIPAA compliance by covered entities, including hospitals and providers, remains a priority of OCR. Saul Ewing has previously written about recent OCR investigations and settlements; see:

HIPAA Security Violations Result In $1.7 Million Settlement

Colorado Compounding Pharmacy Enters Six-Figure Settlement Agreement to Settle Alleged HIPAA Privacy Rule Violations

$150,000 HIPAA Settlement Following Breach of Unsecured PHI Due To Malware

Medical practice agrees to payment due to HIPAA data breach

Covered entities must continue to conduct required risk assessments, monitor HIPAA compliance, provide regular training to members of its workforce, have mitigation and breach policies in effect and ready to implement and continue to ensure the privacy and security of ePHI and PHI generally.

View Document(s):

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Saul Ewing LLP | Attorney Advertising

Written by:

Saul Ewing LLP
Saul Ewing LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Saul Ewing LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide