Hospital Settles with OCR for $ 218,400 Over Cloud-Based File Sharing

Covered entities, business associates and subcontractors using cloud-based file sharing offerings such as Dropbox, Box.com, and the various other similar solutions should note the most recent settlement announcement from the Office of Civil Rights (OCR). On July 10, 2015, OCR announced a settlement with St. Elizabeth�s Medical Center (Medical Center) for $ 218,400 involving allegations of violations of the HIPAA Security Rule stemming from two reported incidents, the first of which was brought to the OCR�s attention through a third-party complaint.

A few preliminary comments.... This settlement reminds organizations that they need to follow the flow of PHI in their environment and to pay attention to where their workforce members are storing PHI. It is possible with today's technology to log the software installed on corporate computers and, further, to prohibit certain software from being installed. Similarly, usb ports and cd/dvr drives can be disabled.

What is striking about this settlement is the specificity of the OCR settlement, where OCR has not only expressly required the Medical Center to interview workforce members, but also dictated the types of workforce members that must be interviewed.

St. Elizabeth�s Medical Center is a tertiary-care hospital based in Brighton, Massachusetts. The OCR Settlement stems from two separate incidents:

(1) 2012 Incident � This incident involved the Medical Center using an online file-sharing solution to store protected health information (PHI) of at 498 individuals �without having analyzed the risks associated with such a practice.�[1] This incident was brought to OCR�s attention through a third-party complaint received by OCR on November 16, 2012. OCR initiated its investigation on February 14, 2014 and found that the Medical Center �failed to timely identify and respond to the known security incident, mitigate the harmful effects of the security incident, and document the security incident and its outcome.�[2]

(2) 2014 Incident � This incident involved �a breach of unsecured ePHI stored on a former [Medical Center�s] workforce member�s personal laptop and USB flash drive, affecting 595 individuals� that the Medical Center self-reported to the OCR on August 25, 2014. OCR initiated this second investigation on November 17, 2014.[3]

While the two incidents were two years apart, strikingly, the Settlement Agreement does encompass both incidents.[4]

According to the Resolution Agreement, the OCR found the following conduct problematic:

Medical Center disclosed the PHI of at least 1,093 individuals.
Medical Center failed to implement sufficient security measures regarding the transmission of and storage of ePHI to reduce risks and vulnerabilities to a reasonable and appropriate level.
Medical Center failed to timely identify and respond to a known security incident, mitigate the harmful effects of the security incident, and document the security incident and its outcome.

Similar to past Resolution Agreements, the Medical Center and OCR entered into a Corrective Action Plan, requiring the Medical Center to take a number of steps to address the HIPAA Rule deficiencies. What appears to be different between this agreement and past agreements, however, is the relative amount of detail required by OCR, including setting froth relatively detailed requirements for the Self-Assessment. Specifically, the Corrective Action Plan requires the Medical Center to:

Conduct and Report a Self-Assessment
Within one hundred twenty (120) calendar days of the Effective Date, [Medical Center] . . . shall conduct an assessment � of [Medical Center�s] workforce members� familiarity and compliance with [Medical Center] policies and procedures that address the following:

a. transmitting ePHI using unauthorized networks;

b. storing ePHI on unauthorized information systems, including unsecured networks and devices;

c. removal of ePHI from Medical Center;

d. prohibition on sharing accounts and passwords for ePHI access or storage;

e. encryption of portable devices that access or store ePHI; and

f. security incident reporting related to ePHI.

[The] Self-Assessment will include, but not be limited to:

a. Unannounced site visits to five [Medical Center] departments, including the Cardiology Department (the �Covered Departments�) to assess implementation of the policies and procedures [described in this Settlement Agreement];

b. Interviews with a total of fifteen (15) randomly selected [Medical Center] workforce members who have access to ePHI, thirteen (13) of whom shall be from the Covered Departments�including at least one intern, resident, or fellow, and the remaining two (2) of whom shall be interns, residents, or fellows working in Hematology/Oncology; and

c. Inspection of at least three (3) portable devices at each of the Covered Departments that can access ePHI, including one (1) laptop, one (1) other portable device, such as a tablet or smartphone, and one (1) portable storage media, such as a USB flash drive, randomly selected to ensure that such devices satisfy all applicable requirements of the policies and procedures [described in this Settlement Agreement].

[The Medical Center must produce a written report within] one hundred fifty (150) calendar days of the Effective Date [and provide the report to HHS.] The Self-Assessment Report shall include, but not be limited to:

a. Dates and locations of unannounced site visits;

b. Job titles and duties of workforce members interviewed;

c. Summaries of results of interviews;

d. Summaries of inspections of workstations and other devices containing ePHI; and

e. Identification of any material compliance issues with the policies described [described in this Settlement Agreement], and recommendations for improving these policies and procedures, oversight and supervision, or training.

Revision and Distribution of Policies and Procedures
[If the Self-Assessment reveals that the Medical Center must revise its policies and procedures, then the Medical Center will] draft the appropriate revisions for review by HHS. If the Self-Assessment indicates that [Medical Center] workforce members are unfamiliar with or not substantially complying with [Medical Center�s] policies and procedures[, such as those involving the use of unauthorized networks, removal of PHI from the Medical Center, encryption, security incident reporting and others identified in the Settlement Agreement, then the Medical Center will] develop an oversight mechanism reasonably tailored to ensure that all Medical Center workforce members follow such policies and procedures, and that ePHI is only used and disclosed as provided for by such policies and procedures.

[The Medical Center must provide the revised policies and procedures as well as the oversight mechanism to HHS for review and approval.] Within thirty (30) calendar days after receiving HHS� final approval of any revisions to the policies and procedures [the Medical Center will] implement and distribute the policies and procedures to all appropriate workforce members.

Train Workforce Members
[If the Self-Assessment reveals that the Medical Center must revise its training materials, then the Medical Center will] draft the appropriate revisions for review by HHS. [Upon final approval by HHS, the Medical Center will] distribute a security reminder reflecting the content of such training and describing any revised policies and procedures to all [Medical Center] workforce members who have access to ePHI. [Medical Center] shall incorporate the revised training into its next annual refresher training for all applicable Medical Center workforce members [and] provide such training to new members of the workforce who have access to ePHI within sixty (60) calendar days of the workforce members beginning their service. Each individual who is required to attend training shall certify, in writing or in electronic form, that the individual has received the required training. The training certification shall specify the date training was completed. A sign-in sheet shall suffice to meet this requirement. All course materials shall be retained [for the six (6) year document retention period].[5]

For a chart summary of the OCR fines as well as other HIPAA related litigation, please see https://melniklegal.com/list_of_HIPAA_fines_and_penalties.html.

---------------------

[1] Press Release, HHS Office of Civil Rights, HIPAA Settlement Highlights Importance of Safeguards When Using Internet Applications, July 10, 2015, available at https://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/SEMC/bulletin.pdf.

[2] Id.

[3] Resolution Agreement between HHS Office of Civil Rights and St. Elizabeth�s Medical Center (July 8, 2015), available at https://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/SEMC/ra.pdf.

[4] Id. at I.1.2 (In describing the so-called �Covered Conduct,� OCR identifies a total of 1,093 patients, meaning that it was adding the patients from both the 2012 and 2014 incidents).

[5] Id. at V.

---------------------

Posted by: Tatiana Melnik on July 23, 2015