Internet-based file-sharing services such as Dropbox and Google Drive can be easy and convenient to use, whether via the touch of an app on a mobile device or by opening a browser on a PC. Healthcare professionals are often tempted to use such services to store or share documents, since the stored documents can be accessed quickly or shared efficiently with colleagues, workforce members, and other providers. But healthcare workers should think twice about using such services when documents contain protected health information, since doing so raises significant HIPAA compliance issues.
St. Elizabeth’s Medical Center (SEMC), a hospital in Brighton, Massachusetts, agreed to settle potential HIPAA violations after workforce members used an Internet-based document file-sharing service to store documents that contained ePHI of 498 individuals without first assessing the risks associated with the use of the service. Per the terms of the Resolution Agreement, SEMC will pay $218,400 to the U.S. Department of Health & Human Services’ Office for Civil Rights (OCR), and SEMC must comply with the terms of a Corrective Action Plan (CAP).
SEMC first came to the attention of OCR back in November 2012, when it received a complaint concerning SEMC’s use of the file-sharing service to store documents that contained ePHI. Then, while that investigation was pending, in August 2014, SEMC notified OCR of a breach involving a former workforce member’s personal laptop and USB device that contained PHI on 595 individuals.
Accordingly, OCR found that SEMC disclosed the PHI of at least 1,093 individuals – combining both the 2012 and the 2014 incidents. It also found that SEMC failed to implement sufficient security measures regarding the transmission and storage of ePHI and that it failed to timely identify and respond to a security incident and mitigate its outcome.
The terms of the CAP require SEMC to take various actions, including:
performing a self-assessment of its workforce members’ familiarity with SEMC’s policies and procedures related to the transmission and storage of ePHI, including unannounced visits to five SEMC departments as part of the self-assessment and inspection of portable devices;
drafting appropriate revisions to policies and procedures; and
revising training materials and procedures, as appropriate.
OCR’s action against SEMC underscores the risks of using file-sharing services. Some services may not use end-to-end encryption, so that documents may be encrypted only during transmission or only when stored on the provider’s servers but not when downloaded to a device. There are many such compliance issues to assess. For instance, where are the provider’s servers physically located and what safeguards are in place on the provider’s end to limit access, using physical and technical means? What limitations and access controls are in place with regard to sharing uploaded documents with others? Can personal devices, not under the control of the healthcare facility, access the documents? Not to mention, will the provider enter into a Business Associate Agreement? Some well-known providers will not do so.
Without addressing these issues, healthcare organizations use document file-sharing services at their own peril. As OCR pointed out in its bulletin announcing the settlement with SEMC, “Organizations must pay particular attention to HIPAA’s requirements when using internet-based document sharing applications. In order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner.”