Before rushing headlong into the brave new world of using Internet applications to share patient documents, perhaps health care professionals should pause a moment to take note of the recent $218,400 HIPAA settlement struck between a Massachusetts hospital and the Department of Health and Human Services (HHS) Office for Civil Rights (OCR).

The case involves Brighton, Massachusetts-based St. Elizabeth’s Medical Center and a pair of potential violations, including the use in 2012 of a web-based document-sharing application by its employees "to store documents containing electronic protected health information (ePHI) of at least 498 individuals without having analyzed the risks associated with such a practice,” according to OCR.

As part of the deal, stated OCR, the hospital will take "robust corrective action plan to correct deficiencies in its HIPAA compliance program.”
The hospital agreed to the fine and the corrective plan, but did not admit to the violations, as part of the agreement, according to The National Law Review.

The problem was investigated by OCR, which ultimately found that the hospital "failed to timely identify and respond to the known security incident, mitigate the harmful effects of the security incident, and document the security incident and its outcome."

A second incident compounded the institution's security woes. In August, 2014, the hospital notified OCR that a former worker had stored 595 individuals' patient records on a personal laptop and USB drive, according to the Boston Globe.

“In order to reduce potential risks and vulnerabilities," stressed OCR Director Jocelyn Samuels. "All workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner.”

This is especially important now that the race to the cloud has hit health care full force. For example, health workers at an average health care organization use a total of 928 cloud services, according to a recent study by security firm Skyhigh Networks. And file-sharing software ranks consistently in the top five most popular applications.

Worse still, many times the IT department is not notified of this usage, according to the security researchers.

The Massachusetts incident is just the latest leading to OCR action that comes from Internet-based services and other sloppy security practices.

In April, Cornell Prescription Pharmacy (Cornell) was hit with a $125,000 fine after facing an accusation of improper document disposal.

“Even in our increasingly electronic world, it is critical that policies and procedures be in place for secure disposal of patient information, whether that information is in electronic form or on paper,” stressed OCR's Samuels.

Business Affairs Homepage