Hospital Pays $218,400 to OCR for HIPAA Violations

Obermayer Rebmann Maxwell & Hippel LLP

St. Elizabeth’s Medical Center (“SEMC”), a tertiary care hospital in Brighton, Massachusetts, has agreed to pay $218,400 to the Office for Civil Rights (“OCR”) to settle alleged violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). SEMC will also implement a corrective action plan.

The settlement stems from a 2012 complaint to OCR when SEMC workforce members reported that they used an internet-based document sharing application to store documents containing protected health information (“PHI”). Then in 2014, SEMC reported a separate incident to OCR regarding a breach of unsecured electronic PHI (“ePHI”) stored on a former SEMC workforce member’s personal laptop and USB flash drive.

OCR investigated each incident and found the following:

  1. SEMC disclosed the PHI of at least 1,093 individuals;
  2. SEMC failed to implement sufficient security measures regarding the transmission of and storage of ePHI to reduce risks and vulnerabilities to a reasonable and appropriate level; and
  3. SEMC failed to timely identify and respond to a known security incident, mitigate the harmful effects of the security incident, and document the security incident and its outcome.

OCR Director, Jocelyn Samuels, cautions that “[o]rganizations must pay particular attention to HIPAA’s requirements when using internet-based document sharing applications.” Also, “[i]n order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner.”

As part of the corrective action plan, SEMC must conduct a self-assessment within 120 calendar days of SEMC workforce members’ familiarity and compliance with SEMC policies and procedures addressing the following:

  • transmitting ePHI using unauthorized networks;
  • storing PHI on unauthorized information systems, including unsecured networks and devices;
  • removal of ePHI from SEMC;
  • prohibition on sharing accounts and passwords for ePHI access or storage;
  • encryption of portable devices that access or store ePHI; and
  • security incident reporting related to ePHI.

To read the Resolution Agreement, click here.

To read the OCR Bulletin, click here.

Written by:

Obermayer Rebmann Maxwell & Hippel LLP

Obermayer Rebmann Maxwell & Hippel LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.