A Massachusetts-based hospital had agreed to pay $218,400 for failing to comply with the Health Insurance Portability and Accountability Act (HIPAA).
The US Department of Health and Human Services (HHS) issued a statement in which it said that St. Elizabeth's Medical Center of Brighton, Mass. will pay the fine for HIPAA violations stemming from a 2012 complaint filed on behalf of several workers at the hospitals. The original complaint alleged that St. Elizabeth's used a cloud-based document sharing tool to store patients' data. Because the hospital failed to properly measure the risks of using such methods to store Protected Health Information (PHI), it placed the information of nearly 500 patients at risk.
Aside from the hefty monetary fine, St. Elizabeth's hospital must also fix any outstanding HIPAA violations.
This hospital also came under fire last year when it became the victim of a cyber breach. This, combined with the 2012 incident, drew the attention of the HHS, pressuring them to fine the hospital for its lack of compliance.
In a statement made on July 10, the HHS's Office for Civil Rights said that healthcare organizations must pay close attention to HIPAA's requirements regarding online document sharing applications.
“Organizations must pay particular attention to HIPAA’s requirements when using Internet-based document sharing applications,” Jocelyn Samuels, director of the HHS’s Office for Civil Rights, said in a statement. “In order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner.”
So, what exactly does this mean? Well, the use of online document sharing applications isn't necessarily prohibited under the Health Insurance Portability and Accountability Act. However, hospitals, doctors and other covered entities must follow some specific guidelines to prevent the unauthorized access and/or use of PHI. This includes creates a Business Associated Agreement (BAA) with the respective the application provider, explaining what type of data will be used and how it will be used.
Stories such as the one involving St. Elizabeth's hospital just goes to show that the HHS can and will fine covered entities for failing to follow HIPAA. Whether you operate a large-scale medical practice or a family clinic, you must understand the nuances of HIPAA and how it pertains to patient privacy. Otherwise, you could be facing a similar situation.