Summary
St. Elizabeth’s Medical Center (SEMC), a tertiary care hospital based in Brighton, Mass., agreed to pay $218,400 to address deficiencies in its HIPAA compliance activities. The SEMC settlement continues a pattern of enforcement actions from the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) against hospitals and medical practices related to HIPAA compliance.
In November 2012, OCR received a complaint from members of SEMC’s workforce that SEMC was using an internet-based document sharing application that stored documents containing electronic protected health information (ePHI) of almost five hundred people without analyzing the risks of doing so. Separately, in August 2014, SEMC notified OCR of a breach of unsecured ePHI from a former SEMC workforce member’s personal laptop and flash drive that affected approximately 600 individuals.
In addition to the monetary payment, SEMC agreed to enter into a one-year corrective action plan (CAP) with OCR. The CAP requires SEMC to perform a self-assessment addressing six different protocols relating to ePHI, unannounced visits to five SEMC departments to assess the implementation of the required policies and procedures, at least 15 interviews with a diverse cross-section of SEMC workforce members who have access to ePHI, and the inspection of at least three portable devices in each of the five SEMC departments that are the subject of the unannounced visits. SEMC is required to provide a self-assessment report to HHS, as well as an implementation report within one year after the effective date of the CAP.
HIPAA compliance by covered entities, including hospitals and providers, remains a priority of OCR. Saul Ewing has previously written about recent OCR investigations and settlements; see:
HIPAA Security Violations Result In $1.7 Million Settlement
Colorado Compounding Pharmacy Enters Six-Figure Settlement Agreement to Settle Alleged HIPAA Privacy Rule Violations
$150,000 HIPAA Settlement Following Breach of Unsecured PHI Due To Malware
Medical practice agrees to payment due to HIPAA data breach
Covered entities must continue to conduct required risk assessments, monitor HIPAA compliance, provide regular training to members of its workforce, have mitigation and breach policies in effect and ready to implement and continue to ensure the privacy and security of ePHI and PHI generally.
View Document(s):