HIPAA Settlement Highlights Role Of Internet Application Safeguards
By Christine Kern, contributing writer
St. Elizabeth’s Medical Center’s HIPAA ruling demonstrates the need to be vigilant when sharing documents.
By Christine Kern, contributing writer
St. Elizabeth’s Medical Center (SEMC) has agreed to a settlement in a HIPAA violation case resulting in a total of $218,400. In addition, SEMC is now required to adopt a corrective plan for its HIPAA compliance program. The case is significant because it highlights the importance of vigilance when healthcare organizations and providers use document-sharing applications for electronic protected health information (ePHI).
According to the bulletin from the Department of Health and Human Services (HHS), the Office for Civil Rights (OCR) received a complaint on November 16, 2012, alleging that SEMC employees had engaged in noncompliance with HIPAA rules by “using an internet-based document sharing application to store documents containing electronic protected health information of at least 498 individuals without having analyzed the risks associated with such a practice.” In a separate event, in August of 2014, SEMC notified HHS OCR of a breach of unsecured ePHI stored on a former SEMC employee’s personal laptop and USB flash drive, affecting 595.
OCR Director Jocelyn Samuels explained, “Organizations must pay particular attention to HIPAA’s requirements when using internet-based document sharing applications. In order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner.”
“There are no indications that any patient data had been viewed or misused in any way,” hospital spokesperson told Healthcare IT News in an emailed statement. “St. Elizabeth’s Medical Center has settled the matter regarding events that occurred in 2012 and 2014.”
As part of the settlement, St. Elizabeth’s is be required to “cure the gaps in the organization’s HIPAA compliance program,” OCR officials wrote in the bulletin, specifically by conducting a self-assessment of its employees’ awareness and compliance with hospital privacy and security policies. The assessment will include “unannounced visits” to various hospital departments to assess policy implementations, and interviews of 15 “randomly selected” employees with access to PHI. Additionally, at least three portable devices across each department with access to PHI will be inspected.
According to a recent report on employee Internet usage by the Campbell, CA-based security firm Skyhigh Networks, employees at an average healthcare organization use a total of 928 cloud services, many without the knowledge of their IT departments. File-sharing services were among the top five uses of cloud services by healthcare workers in the report.
The SEMC case should bring proactive policies into focus for other healthcare organizations to help them avoid costly breaches and fines.