Home > Insights > Blogs > Health Law Checkup > Insufficient protection of PHI leads to HIPAA settlement

Insufficient protection of PHI leads to HIPAA settlement

Milada Goturi July 16, 2015

The latest settlement between the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) and St. Elizabeth’s Medical Center, a tertiary care Massachusetts hospital (SEMC), is a reminder that having a strong and functioning HIPAA compliance program is imperative for organizations subject to HIPAA.

OCR opened its investigation of SEMC’s HIPAA compliance practices after receiving a complaint on November 16, 2012 alleging that SEMC violated HIPAA and that its workforce members used an internet-based document sharing application to store documents containing electronic protected health information (PHI).  Subsequently, on August 25, 2014, SEMC notified OCR of a breach of unsecured PHI affecting 595 individuals related to storing PHI on a former SEMC workforce member’s personal laptop and USB flash drive.  The OCR’s investigation of these matters found that SEMC failed to implement sufficient security measures regarding the transmission and storage of PHI to reduce risks and vulnerabilities to a reasonable level, did not timely identify and respond to a known security incident and improperly disclosed PHI of at least 1093 individuals. On July 8, 2015, SEMC entered into a resolution agreement with the OCR to resolve these matters.

The $218,400 settlement amount under the resolution agreement took into consideration the circumstances of the complaint and breach, the size of the entity and types of PHI disclosed. In addition to paying the settlement, the resolution agreement requires SEMC to adopt a robust corrective action plan to address HIPAA compliance. Under the corrective action plan, SEMC must assess its workforce members’ familiarity and compliance with SEMC policies and procedures addressing:

  • transmitting PHI using unauthorized networks,
  • storing PHI on unauthorized information systems, including unsecured networks and devices,
  • removal of PHI from SEMC,
  • prohibition on sharing accounts and passwords for PHI access or storage,
  • encryption of portable devices that access or store PHI, and
  • reporting security incidents.

In addition, the corrective action plan also requires SEMC to appropriately strengthen its HIPAA policies and procedures, revise its HIPAA training and timely investigate and report to the OCR noncompliance with its HIPAA policies and procedures by workforce members.

In connection with this settlement, OCR highlighted the importance of following HIPAA requirements when using internet based document sharing applications and emphasized that to reduce potential risks and vulnerabilities to PHI, workforce must follow HIPAA policies and that security incidents must be reported and mitigated in a timely manner.

Milada Goturi is a partner in Thompson Coburn's Health Law Practice Group. She can be reached at (202) 585-6951 or mgotui@thompsoncoburn.com.