Home > Insights > Blogs > Health Law Checkup > Insufficient protection of PHI leads to HIPAA settlement
Health Law Checkup_default blog

Insufficient protection of PHI leads to HIPAA settlement

Milada Goturi July 16, 2015

Links

Contributors

Contributors

Raquel Boton

Raquel Boton

Catherine Feorene

Catherine Feorene

Jim Fogle

Jim Fogle

Suzanne Galvin

Suzanne Galvin

Evan Raskas Goldfarb

Evan Raskas Goldfarb

A. Jay Goldstein

A. Jay Goldstein

Milada Goturi

Milada Goturi

Ed Harvey

Ed Harvey

Joy Harris Hennessy

Joy Harris Hennessy

Nicole Jobe

Nicole Jobe

Kevin Kifer

Kevin Kifer

April Kirkley

April Kirkley

Bryan Gray Looney

Bryan Gray Looney

Jan Paul Miller

Jan Paul Miller

Tonya Oliver Rose

Tonya Oliver Rose

Claire Schenk

Claire Schenk

Mackenzie Wallace

Mackenzie Wallace

The latest settlement between the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) and St. Elizabeth’s Medical Center, a tertiary care Massachusetts hospital (SEMC), is a reminder that having a strong and functioning HIPAA compliance program is imperative for organizations subject to HIPAA.

OCR opened its investigation of SEMC’s HIPAA compliance practices after receiving a complaint on November 16, 2012 alleging that SEMC violated HIPAA and that its workforce members used an internet-based document sharing application to store documents containing electronic protected health information (PHI).  Subsequently, on August 25, 2014, SEMC notified OCR of a breach of unsecured PHI affecting 595 individuals related to storing PHI on a former SEMC workforce member’s personal laptop and USB flash drive.  The OCR’s investigation of these matters found that SEMC failed to implement sufficient security measures regarding the transmission and storage of PHI to reduce risks and vulnerabilities to a reasonable level, did not timely identify and respond to a known security incident and improperly disclosed PHI of at least 1093 individuals. On July 8, 2015, SEMC entered into a resolution agreement with the OCR to resolve these matters.

The $218,400 settlement amount under the resolution agreement took into consideration the circumstances of the complaint and breach, the size of the entity and types of PHI disclosed. In addition to paying the settlement, the resolution agreement requires SEMC to adopt a robust corrective action plan to address HIPAA compliance. Under the corrective action plan, SEMC must assess its workforce members’ familiarity and compliance with SEMC policies and procedures addressing:

  • transmitting PHI using unauthorized networks,
  • storing PHI on unauthorized information systems, including unsecured networks and devices,
  • removal of PHI from SEMC,
  • prohibition on sharing accounts and passwords for PHI access or storage,
  • encryption of portable devices that access or store PHI, and
  • reporting security incidents.

In addition, the corrective action plan also requires SEMC to appropriately strengthen its HIPAA policies and procedures, revise its HIPAA training and timely investigate and report to the OCR noncompliance with its HIPAA policies and procedures by workforce members.

In connection with this settlement, OCR highlighted the importance of following HIPAA requirements when using internet based document sharing applications and emphasized that to reduce potential risks and vulnerabilities to PHI, workforce must follow HIPAA policies and that security incidents must be reported and mitigated in a timely manner.

Milada Goturi is a partner in Thompson Coburn's Health Law Practice Group. She can be reached at (202) 585-6951 or mgotui@thompsoncoburn.com.