HIPAA Settlement Emphasizes Risks of Internet-Based Applications.

The Department of Health and Human Services (HHS) announced that St. Elizabeth’s Medical Center (SEMC) in Brighton, Massachusetts, has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security and Breach Notification Rules with the HHS Office for Civil Rights (OCR).  The settlement requires SEMC to pay $218,400 and to correct deficiencies in its HIPAA compliance program through a robust corrective action plan.  The OCR’s complaint against SEMC alleges that workforce members stored documents containing electronic protected health information (ePHI) of at least 498 individuals in an internet-based document sharing application.  The complaint alleged that SEMC did not analyze the application’s risk to patient privacy.

Separately, SEMC notified the OCR of a breach of unsecured ePHI stored on a former SEMC workforce member’s personal laptop and Universal Serial Bus (USB) flash drive, affecting 595 individuals.

The HHS Bulletin is available at:

http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/SEMC/bulletin.pdf.

Department of Health and Human Services.  “HIPAA Settlement Highlights Importance of Safeguards When Using Internet Applications.”  10 Jul. 2015.