The Department of Health and Human Services’ Office for Civil Rights (OCR) reports it has entered into a resolution agreement with St. Elizabeth’s Medical Center for violations of the Health Insurance Portability and Accountability Act (HIPAA). St. Elizabeth’s has agreed to a fine of $218,000 and adoption of a corrective action plan to correct the deficiencies in its HIPAA compliance program. The agreement comes after investigation of two security incidents.
The first incident involved staff members using an Internet site to share documents containing electronic protected health information (ePHI) of about 500 individuals without taking into account the potential security risks. Furthermore, the investigation revealed that St. Elizabeth’s failed to adequately respond to a known security incident, mitigate the harmful effects, and document the incident.
The second incident involved notification to the OCR regarding the theft of a staff member’s personal laptop and USB flash drive that contained unsecure ePHI. About 600 individuals were affected.
“Organizations must pay particular attention to HIPAA’s requirements when using internet-based document sharing applications,” said OCR Director Jocelyn Samuels. “In order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner.”
The corrective action plan agreed upon calls for the medical center to:
- Conduct a “self-assessment” of workforce members’ familiarity and compliance with the hospital’s policies and procedures that address issues including transmission and storage of ePHI;
- Review and revise policies and procedures related to ePHI; and
- Revise workforce training related to HIPAA and protection of PHI.
The OCR learned of the complaints from the staff members. Organizations should consider whether employees know how to report HIPAA issues or security incidents to the privacy and security officers. This gives the organization the opportunity to assess the incident and take any necessary actions to mediate the situation.
The settlement places significance on having a strategy in place when it comes to using the cloud. The strategy should include policies, training, and technical safeguards in place to ensure that ePHI stays secure and off unauthorized sources.
Another issue that continues to come up is preventing unencrypted PHI from being on personal devices. The solutions are clear – PHI shouldn’t be stored on a personal device if it’s not necessary, and kept encrypted if it is necessary.