July 16, 2015

Hospital Pays $218,400 to OCR for HIPAA Violations

+ Follow Contact

Send

Embed

St. Elizabeth’s Medical Center (“SEMC”), a tertiary care hospital in Brighton, Massachusetts, has agreed to pay $218,400 to the Office for Civil Rights (“OCR”) to settle alleged violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). SEMC will also implement a corrective action plan.

The settlement stems from a 2012 complaint to OCR when SEMC workforce members reported that they used an internet-based document sharing application to store documents containing protected health information (“PHI”). Then in 2014, SEMC reported a separate incident to OCR regarding a breach of unsecured electronic PHI (“ePHI”) stored on a former SEMC workforce member’s personal laptop and USB flash drive.

OCR investigated each incident and found the following:

SEMC disclosed the PHI of at least 1,093 individuals;
SEMC failed to implement sufficient security measures regarding the transmission of and storage of ePHI to reduce risks and vulnerabilities to a reasonable and appropriate level; and
SEMC failed to timely identify and respond to a known security incident, mitigate the harmful effects of the security incident, and document the security incident and its outcome.

OCR Director, Jocelyn Samuels, cautions that “[o]rganizations must pay particular attention to HIPAA’s requirements when using internet-based document sharing applications.” Also, “[i]n order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner.”

As part of the corrective action plan, SEMC must conduct a self-assessment within 120 calendar days of SEMC workforce members’ familiarity and compliance with SEMC policies and procedures addressing the following:

transmitting ePHI using unauthorized networks;
storing PHI on unauthorized information systems, including unsecured networks and devices;
removal of ePHI from SEMC;
prohibition on sharing accounts and passwords for ePHI access or storage;
encryption of portable devices that access or store ePHI; and
security incident reporting related to ePHI.

To read the Resolution Agreement, click here.

To read the OCR Bulletin, click here.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

Written by:

Obermayer Rebmann Maxwell & Hippel LLP

Contact + Follow

Lawrence Tabas

+ Follow

less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

Increased visibility
Actionable analytics
Ongoing guidance

Learn More

Published In:

Data-Sharing

+ Follow

Enforcement Actions

+ Follow

Health Care Providers

+ Follow

Health Insurance Portability and Accountability Act (HIPAA)

+ Follow

Healthcare

+ Follow

OCR

+ Follow

PHI

+ Follow

Settlement

+ Follow

Consumer Protection

+ Follow

Health

+ Follow

Privacy

+ Follow

Science, Computers & Technology

+ Follow

less

Obermayer Rebmann Maxwell & Hippel LLP on:

Hospital Pays $218,400 to OCR for HIPAA Violations

Related Posts

Written by:

PUBLISH YOUR CONTENT ON JD SUPRA NOW

Published In:

Obermayer Rebmann Maxwell & Hippel LLP on:

"My best business intelligence, in one easy email…"