St. Elizabeth's Medical Center in Brighton, Mass., has agreed to pay a $218,400 settlement to federal authorities for what the government is calling “potential violations” of data privacy and security breach notifications rules under HIPAA, including in a relatively rare enforcement area, Internet-based file-sharing services.
The Office for Civil Rights at HHS, which has federal HIPAA privacy and security rule enforcement authority, first received a complaint in November 2012 that members of St. Elizabeth's workforce used an Internet-based document-sharing application “to store documents containing electronic protected health information (ePHI) of at least 498 individuals without having analyzed the risks associated with such a practice.”
In a separate incident, in August 2014, the hospital reported to HHS that a former workforce member had stored patient-identifiable health records of 595 individuals on a stolen personal laptop and USB flash drive.
According to a recent report on employee Internet usage by the Campbell, Calif.-based security firm Skyhigh Networks, employees at an average healthcare organization use a total of 928 cloud services, many without the knowledge of their IT departments. File-sharing services were among the top five uses of cloud services by healthcare workers in the report.
“Organizations must pay particular attention to HIPAA's requirements when using Internet-based document-sharing applications,” said Office for Civil Rights Director Jocelyn Samuels. “In order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner.”
In addition to the payment, the settlement includes a corrective action plan “to cure gaps in the organization's HIPAA compliance program raised by both the complaint and the breach.” St. Elizabeth has also reported to the civil rights office a breach of 6,831 lost patients' identifiable records on paper or film, according to the “wall of shame” list kept by the office for breaches involving 500 or more individuals.
This wasn't the first Office for Civil Rights enforcement action involving settlement amounts against a provider involving Web-based services, according to Adam Greene, a privacy lawyer with Davis Wright Tremaine in Washington, D.C. But providers need to be aware of the enforcement risks both cases demonstrate, he said.
In April, 2012, a five-physician medical practice, Phoenix Cardiac Surgery, agreed to a $100,000 settlement for failing to have HIPAA-required business associate agreements with providers of their Internet-based calendar and e-mail service.
“Between these two cases,” Greene said, “what it stands for is OCR's expectation you're going to have to have a business associate agreement with any cloud-based (service) providers. And you need a risk analysis.”
Greene said the St. Elizabeth settlement was “particularly noteworthy” because the complaints apparently came from the hospital's own employees.
“So, there appears to be a whistle-blower,” Greene said. “It shows the importance of having a process for hearing concerns from your employees about addressing HIPAA, or they might go to the government instead.”
Since September 2009, when the civil rights office started keeping a public list of breaches involving 500 or more individuals, 1,265 breaches have been reported exposing the records of nearly 135 million people, equal to the populations of California, Florida, Illinois, New Jersey, New York, Pennsylvania and Texas combined.