The Office for Civil Rights announced on July 10, 2015 that it has entered into a Resolution Agreement with St. Elizabeth’s Medical Center (SEMC), owned and operated by Steward Health Care System and located in Brighton, MA. The settlement includes the payment of a fine of $218,400 and the requirement to follow a Corrective Action Plan (CAP). The CAP includes completing a self-assessment on its workforce members’ familiarity and compliance with procedures involving:
- the transmission of ePHI using unauthorized networks
- storing ePHI on unauthorized information systems, including unsecured networks and devices
- removal of ePHI from the medical center
- prohibition on sharing accounts and passwords for access or storage
- encryption of portable devices that access or store ePHI
- security incident reporting related to ePHI
The self-assessment report will be made available to the OCR. In addition, SEMC must review its policies and procedures, revise them as necessary, and provide them to the OCR for approval.
SEMC must also review and revise its workforce training, provide the training to OCR for approval, and then train all employees who have access to PHI within 60 days of the approval.
The settlement and CAP stem from two incidents—one that started with a complaint in 2012 and the second with a reportable data breach in 2014. The OCR received a complaint in November of 2012 alleging that SEMC was not complying with HIPAA because workforce members were using an internet-based document-sharing application to store documents containing ePHI of at least 498 patients. The OCR stated that based upon its investigation, it “determined that SEMC failed to timely identify and respond to the known security incident, mitigate the harmful effects of the security incident, and document the security incident and its outcome.”
On August 25, 2014, SEMC self-reported a data breach of 595 patients’ information that was stored on a previous employee’s personal laptop and USB flash drive.
The two incidents, involving 1,093 individuals were lumped together for the settlement. The settlement is consistent with the OCR’s other settlements and is another lesson learned about the OCR’s emphasis on the suggestion to utilize encryption technology for mobile devices and the importance of workforce training.