A recent example of a HIPAA violation was St. Elizabeth’s Medical Center in Brighton, Massachusetts. Due to two separate violations of HIPAA that involved compromised electronic protected health information, St. Elizabeth is required to pay $218,400 in fines. Although it is unclear whether or not the information was misused, the act of not securing the information is enough to require payment of the fine to the United States Department Health and Human Services, Office for Civil Rights (HHS).
In November of 2012, complaints reached the HHS about employees at St. Elizabeth’s using internet-based document sharing to share and store documents of over 500 patients’ Protected Health Information (PHI). HHS began investigating in February of 2013. During the investigation, reports came in regarding a breach of information on August 25, 2014 when an unsecured employee’s personal laptop containing PHI was compromised, affecting 595 patients. In all, a total of at least 1,093 individuals were affected by the two separate incidents.
St. Elizabeth’s was taken to court by the HHS and fined $218,400 and required to come up with a Corrective Action Plan (CAP) to ensure that a breach like the ones listed above would never happen again. Some provisions of the CAP include: removal of electronic PHI, prohibition of sharing accounts and passwords for access or storage, requirement to encrypt portable devices, etc. They also are required to conduct random interviews of employees and inspections of devices containing PHI during the trial period that St. Elizabeth’s Medical Center received from the court settlement. Another part of the settlement is that St. Elizabeth’s is required to review and revise their training program, and then train all individuals within the company.
St. Elizabeth’s is not the only hospital with a potential HIPAA violation on their hands due to cloud-based applications used to store PHI. Sky High recently reported that the average healthcare organization uses 928 cloud-based applications per month. It is imperative for hospitals and private practices to be knowledgeable of every system they use to transfer and store PHI, as well as their weaknesses and limitations, ensuring that data is protected according to HIPAA standards.
If you are concerned about the compliance of your practice, contact Compliance PHD today to sign up for a membership to take HIPAA privacy and HIPAA Security courses.