A Boston hospital pays when its employees neglect HIPAA

After two investigations by the United States Department of Health and Human Services, Office for Civil Rights (“HHS”), St. Elizabeth’s Medical Center, a Boston-based hospital, has agreed to a Resolution Agreement with HHS. The Resolution Agreement appears to settle two apparently unrelated HIPAA issues at the same facility in 2012 and 2014.

The Resolution Agreement requires St. Elizabeth’s to pay $218,400 and implement a Corrective Action Plan. In addition to the penalty, St. Elizabeth’s must implement a self-assessment protocol and revise its policies and procedures.

The Resolution Agreement indicates that HHS received a complaint about a potential HIPAA violation at St. Elizabeth’s in November of 2012.  St. Elizabeth’s employees allegedly used an internet-based document sharing application to store documents that included sensitive patient information, including electronic protected health information, or ePHI.  St. Elizabeth’s apparently never vetted the security of the document sharing program.

In August 2014, St. Elizabeth’s reported a breach of unsecured ePHI to HHS.  Unsecured ePHI stored on a former St. Elizabeth’s employee’s laptop and flash drive formed the basis for the breach, which affected 595 individuals.

The Resolution Agreement can be viewed here:  http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/SEMC/ra.pdf.

Eric Dyer assisted in writing this blog post.  For more information about HIPAA and data security, contact Caitlin Monjeau.