Blog: St. Elizabeth’s Medical Center Reaches Agreement to Settle Alleged HIPAA Breach

Cooley LLP
Contact

Last week, St. Elizabeth’s Medical Center (SEMC), a hospital located in Brighton, Massachusetts, agreed to settle alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) by paying $218,400 and adopting a robust corrective action plan.

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) first received a complaint regarding SEMC’s potential noncompliance with HIPAA on November 16, 2012.  Specifically, this complaint described SEMC’s internet-based document sharing application used to store documents containing Protected Health Information (PHI), even though the risks of such practice had not been analyzed.  Additionally, OCR received a breach notification from SEMC on August 25, 2014, regarding 595 individuals’ PHI stored on a former workforce member’s personal laptop and flash drive.  OCR investigated both the complaint and the breach report separately and found that SEMC: improperly disclosed the PHI of at least 1,093 individuals; failed to implement sufficient security measures regarding transmission and storage of electronic PHI; and failed to respond to a known security incident in the proper manner.

In addition to agreeing to pay $218,400, SEMC entered into a corrective action plan lasting 1 year.  Pursuant to this corrective action plan, SEMC agreed to conduct a self-assessment regarding certain areas of HIPAA compliance; update its HIPAA policies, procedures , and training as needed; and report certain non-compliance of workforce members to OCR.  OCR Director Jocelyn Samuels emphasized the importance of this settlement with respect to internet based document sharing solutions.  “Organizations must pay particular attention to HIPAA’s requirements when using internet-based document sharing applications.  In order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner.”

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Cooley LLP | Attorney Advertising

Written by:

Cooley LLP
Contact
more
less

Cooley LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.