St. Elizabeth's Medical Center in Brighton, Mass., has agreed to pay $218,400 to settle an alleged HIPAA violation and to adopt a corrective action plan for its HIPAA compliance program.
In November 2012, HHS' Office for Civil Rights received complaints alleging employees at St. Elizabeth's Medical Center, part of Boston-based Steward Health Care, had been using an Internet-based document sharing application to store documents containing electronic protected health information of nearly 500 patients without first analyzing the risks associated with the platform. This lack of risk analysis put the PHI at risk.
The OCR's investigation into the allegations determined the hospital failed to comply with rules to safeguard private patient information.
"Organizations must pay particular attention to HIPAA's requirements when using Internet-based document sharing applications," said OCR Director Jocelyn Samuels in a statement. "In order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner."
In a separate incident, St. Elizabeth's Medical Center notified HHS' OCR in August 2014 of a breach stemming from unsecured electronic PHI on a former employee's personal laptop and flash drive affecting 595 patients.
Brooke Thurston, a spokeswoman for Steward Health Care, told the Boston Globe there is no evidence patient data was inappropriately viewed or misused from either of the security incidents. "All patients that needed to be notified were contacted back when the events occurred," Ms. Thurston said. "St. Elizabeth's has taken steps to ensure this will not happen again."
Concerns with data storage are likely to persist, especially as cloud computing in healthcare continues to gain popularity. A recent report from Sky High found the average healthcare organization uses 928 cloud applications each month.
Matt Fisher, attorney and co-chair of Massachusetts-based Mirick O'Connell's Health Law Group, says new technologies like cloud computing will require hospitals and health systems to be aware of how such offerings may affect security programs. "The growing use of cloud-based apps and storage options is not a bad thing. However, healthcare organizations need to be cognizant of what services employees are using, or what services the organization itself will help promote," Mr. Fisher said in emailed comments to Becker's Hospital Review. "Before using a cloud service, an organization should vet the service and ask what is done to protect information in a manner that meets HIPAA standards."
While hospitals and health systems are keeping pace with technological advancements, so is the OCR, as evidenced by this incident.
"The key lesson learned from this event is that OCR understands the changing digital world and expects hospitals and other healthcare organizations to keep up," Mr. Fisher said. "A hospital cannot sit back and expect that its employees will do the right thing. Accordingly, hospitals should actively assess risks as new developments occur and keep employees informed of the evolving obligations to maintain HIPAA compliance."
Editor's note: This article was updated at 4:30 pm CDT on July 14, 2015 to include comments from Attorney Matt Fisher.
More articles on data breaches:
Hackers break into Anthem: 10 things to know
The hospital's guide to getting hacked
Missing EKG-linked laptop prompts breach notification at Valley Community Healthcare