Hospital’s Cloud-Based Document-Sharing Practices Lead to $218,400 HIPAA Settlement

McGuireWoods LLP
Contact

On July 10, 2015, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced a substantial settlement with St. Elizabeth’s Medical Center (SEMC). Under the terms of the settlement, the hospital agreed to pay $218,400 in fines and abide by a lengthy corrective action plan detailed in a resolution agreement.

The SEMC settlement comes after an OCR investigation revealed potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules. OCR opened its investigation following a complaint alleging that the hospital was using an Internet-based document-sharing application to store documents containing electronic protected health information (ePHI) without having analyzed the risks associated with such a practice. OCR also was notified of a separate breach related to ePHI stored on a former workforce member’s unsecured personal laptop and USB flash drive. These violations compromised a total of 1,093 individuals’ ePHI.

In addition to paying $218,400, the hospital agreed to implement an extensive assessment and revision of all policies and procedures related to electronic storage and transmission of ePHI. Any and all proposed revisions of SEMC data privacy policies must be submitted to HHS for review and approval. In addition, SEMC has agreed to promptly investigate all “reportable events,” or instances where a workforce member has failed to comply with data privacy policies. All reportable events must be submitted immediately to HHS for review and after one year, SEMC also must submit a summary of all reportable events, along with actions taken to mitigate harm and prevent recurrence. The hospital also must submit an attestation that all workforce members have completed all required trainings relating to ePHI.

The recent SEMC settlement is another example of increased emphasis that OCR is placing on security of PHI stored and transmitted electronically. Following this incident, OCR Director Jocelyn Samuels warned that "[o]rganizations must pay particular attention to HIPAA's requirements when using internet-based document sharing applications."

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© McGuireWoods LLP | Attorney Advertising

Written by:

McGuireWoods LLP
Contact
more
less

McGuireWoods LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide