Boston Hospital Fined $218,000

St. Elizabeth’s Medical Center in Massachusetts has been hit with a $218,000 HIPAA penalty. This penalty is the result of an investigation stemming from two security incidents.

The first incident involved staff members using an Internet site to share documents containing patient data without first assessing risks. The second involved the theft of a worker’s personally owned unencrypted laptop and storage device.

In addition to the penalty, the Department of Health and Human Services’ Office for Civil Rights has entered a resolution agreement with St. Elizabeth’s Medical Center that also includes a “robust” corrective action plan to correct deficiencies in the hospital’s HIPAA compliance program.

The Brighton, Mass., based medical center is part of Steward Health Care System.

Privacy and security experts say the OCR settlement offers a number of valuable lessons, including the importance of the workforce knowing how to report security issues internally, as well as the need to have strong policies and procedures for safeguarding PHI in the cloud.

First Incident:
On Nov. 16, 2012, OCR received a complaint alleging noncompliance with HIPAA. The complaint alleged that staff used an Internet-based document sharing application to store documents containing electronic protected health information of at least 498 individuals. They did this without analyzing the risks associated with such a practice, according to the OCR.

The OCR’s investigation found that the medical center failed to identify and respond to the security incident in a timely manner. They also failed to mitigate the harmful effects of the security incident and document the security incident and its outcome.

Second Incident:
On Aug. 25, 2014, St. Elizabeth’s Medical Center notified the OCR regarding a breach involving unencrypted ePHI stored on a former hospital workers personal laptop and USB flash drive when the devices were stolen. The breach affected 595 individuals.

Lessons Learned
Healthcare organizations and business associates need to heed some lessons from OCR’s latest HIPAA enforcement action.

Entities need to ensure their employees know how to report HIPAA issues internally to the privacy and security officers and ensure that any concerns are adequately addressed.

The settlement highlights the importance of having a cloud computing strategy.  That strategy, he says, should include policies, training and technical safeguards to keep PHI off of unauthorized online file-sharing services.

The enforcement emphasizes the ongoing challenge of preventing unencrypted PHI from ending up on personal devices, where it may become the subject of a breach.

Both of these incidents emphasize that healthcare providers need to ensure that they have a comprehensive plan in place to avoid breaches and the numerous issues that stem from them. If you have any questions regarding your preparation level, call ITPAC today.