Massachusetts Hospital Agrees to Six-Figure Payment Related to HIPAA Compliance Allegations
St. Elizabeth’s Medical Center (SEMC), a tertiary care hospital based in Brighton, Mass., agreed to pay $218,400 to address deficiencies in its HIPAA compliance activities. The SEMC settlement continues a pattern of enforcement actions from the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) against hospitals and medical practices related to HIPAA compliance.
In November 2012, OCR received a complaint from members of SEMC’s workforce that SEMC was using an internet-based document sharing application that stored documents containing electronic protected health information (ePHI) of almost five hundred people without analyzing the risks of doing so. Separately, in August 2014, SEMC notified OCR of a breach of unsecured ePHI from a former SEMC workforce member’s personal laptop and flash drive that affected approximately 600 individuals.
In addition to the monetary payment, SEMC agreed to enter into a one-year corrective action plan (CAP) with OCR. The CAP requires SEMC to perform a self-assessment addressing six different protocols relating to ePHI, unannounced visits to five SEMC departments to assess the implementation of the required policies and procedures, at least 15 interviews with a diverse cross-section of SEMC workforce members who have access to ePHI, and the inspection of at least three portable devices in each of the five SEMC departments that are the subject of the unannounced visits. SEMC is required to provide a self-assessment report to HHS, as well as an implementation report within one year after the effective date of the CAP.
HIPAA compliance by covered entities, including hospitals and providers, remains a priority of OCR. Saul Ewing has previously written about recent OCR investigations and settlements; see:
Covered entities must continue to conduct required risk assessments, monitor HIPAA compliance, provide regular training to members of its workforce, have mitigation and breach policies in effect and ready to implement and continue to ensure the privacy and security of ePHI and PHI generally.
Saul Ewing attorneys have extensive experience with HIPAA privacy and security issues, development of policies and procedures, mitigation techniques, risk analysis and the development of risk management plans, and breach response protocol. For more information on this Client Alert please contact the authors or the attorney at the firm with whom you are regularly in contact.