The U.S. Department of Health and Human Services (HHS), Office of Civil Rights (OCR), recently announced a settlement with St. Elizabeth's Medical Center (SEMC) over violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). SEMC is a tertiary care hospital located in Massachusetts. OCR's investigation began in November 2014, when OCR alleged that SEMC violated HIPAA's Privacy, Security and Breach Notification Rules. As part of the settlement, SEMC agreed to pay $218,400 and adopt a corrective action plan to address the deficiencies in SEMC's HIPAA compliance program.
On July 10, 2015, OCR released an HHS OCR Bulletin containing the allegations against SEMC, the parties' settlement agreement and SEMC's corrective action plan. OCR's investigation stemmed from a complaint against SEMC filed on November 16, 2012. The allegations pertain to SEMC's use of internet-based document sharing programs that contain electronic protected health information (ePHI). OCR found that SEMC used the internet-based applications without analyzing the privacy and security risks, as required by HIPAA. Further, critical to SEMC's liability under HIPAA, OCR alleged that SEMC "failed to timely identify and respond to the known security incident, mitigate the harmful effects of the security incident, and document the security incident and its outcome." The settlement agreement also covers a separate HIPAA breach that occurred in August 2014, when SEMC notified HHS of a breach of unsecured ePHI located on a personal laptop and USB flash drive.
The settlement between OCR and SEMC is predicated on SEMC's continued compliance with the settlement agreement's corrective action plan. As part of the plan, SEMC agreed to perform robust "self-assessment" to determine the SEMC's workforce members' knowledge of and compliance with SEMC policies and procedures regarding: transmitting ePHI using unauthorized networks; storing ePHI on unauthorized information systems; removal of ePHI from SEMC; prohibition on sharing accounts and passwords for ePHI access or storage; encryption of portable devices that access or store ePHI; and security incident reporting related to ePHI. The self-assessment includes unannounced site visits to various SEMC departments, randomly selected interviews of SEMC workforce members, and inspection of portable devices that can access ePHI in the departments impacted by the breach. SEMC is also required to provide a report documenting its self-assessment to HHS within 150 days of the settlement.
The corrective action plan provides that if SEMC determines that its HIPAA compliance policies and procedures must be revised pursuant to the plan, or that SEMC's workforce is unfamiliar or not in substantial compliance with the policies and procedures, SEMC must submit any revisions to its policies and procedures for approval by HHS and also adopt "an oversight mechanism reasonably tailored to ensure that all SEMC workforce members follow such policies and procedures, and that ePHI is only used and disclosed as provided for by such policies and procedures." Finally, the corrective action plan requires further training of SEMC workforce members, specific timeframes regarding disclosure of reportable events, and document retention relating to compliance with the settlement agreement for six years.
This settlement demonstrates the importance of HIPAA compliance by covered entities and business associates, and the onerous and costly results that can result from non-compliance. It is critical to have well-drafted HIPAA-compliant policies and procedures that are communicated and enforced within you workforce.
Wachler & Associates drafts and implements HIPAA policies and procedures, as well as BAAs, on behalf of all types of health care providers. Our attorneys counsel HIPAA covered entities and business associates around the country in a variety of HIPAA matters, including investigations of and responses to breaches of PHI and ePHI. If you or your healthcare entity have any questions regarding HIPAA's Privacy, Security or Breach Notification rules, or otherwise need assistance regarding HIPAA, please contact an experienced healthcare attorney at (248) 544-0888 or via email at firstname.lastname@example.org.