HHS, Hospital Settle HIPAA Charges for $218K

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Martha Kessler

July 14 — A Massachusetts hospital has agreed to pay $218,400 and implement a corrective action plan to correct deficiencies in its Health Insurance Portability and Accountability Act compliance program under a recently unveiled no-fault resolution agreement with federal officials.

The pact settles allegations by the Department of Health and Human Services that St. Elizabeth's Medical Center in Brighton, Mass., violated the HIPAA Privacy Rule, Security Rule and Breach Notification Rule.

In 2012, the HHS Office for Civil Rights filed a complaint alleging that medical center workers used an Internet-based document sharing application to store files containing the electronic protected health information (ePHI) of at least 498 people without having analyzed the risks associated with the practice.

“Organizations must pay particular attention to HIPAA's requirements when using internet-based document sharing applications,” OCR Director Jocelyn Samuels said in a statement issued July 13. “In order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner.”

Separate Incident in 2014 

The agency said in a bulletin issued July 10 that its investigation found that St. Elizabeth's failed to “identify and respond to the known security incident, mitigate the harmful effects of the security incident, and document the security incident and its outcome” in a timely manner.

In addition, the OCR said it had been notified by St. Elizabeth's in August 2014 of a separate incident involving a breach affecting 595 individuals that involved unsecured ePHI stored on a former St. Elizabeth's employee's personal laptop and USB flash drive.

Corrective Action Plan

St. Elizabeth's is a tertiary care hospital that is affiliated with the Tufts University School of Medicine and is member of Steward Health Care, the second-largest health-care system in New England.

The OCR said the size of the settlement payment takes into account the circumstances of the complaint and the breach, the size of the medical center and the type of health information compromised. The resolution agreement also contains a corrective action plan that St. Elizabeth's has agreed to implement and which is designed to address gaps in its HIPAA compliance program raised by both the complaint and the breach, the OCR said.

Brooke Thurston, a spokeswoman for Steward Health Care System, told Bloomberg BNA July 14 that the medical center “has settled the matter regarding events that occurred in 2012 and 2014. There are no indications that any patient data had been viewed or misused in any way.”

To contact the reporter on this story: Martha Kessler in Boston at mkessler@bna.com

To contact the editor responsible for this story: Janey Cohen at jcohen@bna.com

The resolution agreement is available at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/SEMC/ra.pdf.