Health Information Management

Boston hospital fined for disregarding HIPAA rules, agrees to corrective action plan

HIM-HIPAA Insider, July 20, 2015

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

by John Castelluccio, Editor

St. Elizabeth’s Medical Center in Boston has agreed to a corrective action plan and civil fine of $218,400 with OCR to address deficiencies in its HIPAA compliance program after practices by hospital employees exposed ePHI of more than 1,000 patients.

OCR initially received a complaint in November 2012 that hospital employees were allegedly storing patient records containing PHI in an unsecure online document sharing application without analyzing the risks of doing so, according to a July 8 resolution agreement between OCR and St. Elizabeth’s. Those documents contained the ePHI of at least 498 patients.

The federal agency notified the hospital, which is part of Steward Health Care, of the complaint and its investigation in February 2013.

The hospital then self-reported a different data breach to OCR in August 2014. At that time, St. Elizabeth’s revealed it found unsecured ePHI of 595 patients stored on a former employee’s personal laptop and USB flash drive.

OCR launched a second investigation into the hospital’s compliance with HIPAA rules in November 2014. Ultimately, OCR found St. Elizabeth’s essentially neglected to take action once it learned of the breaches.

OCR’s investigators found the hospital:

  • Disclosed ePHI of at least 1,093 individuals
  • Failed to implement sufficient security measures regarding the transmission and storage of ePHI to reduce risks and vulnerabilities to a reasonable and appropriate level
  • Failed to timely identify and respond to a known security incident, mitigate the harmful effects of the security incident, and document the security incident and its outcome

“Organizations must pay particular attention to HIPAA’s requirements when using internet-based document sharing applications,” said OCR Director Jocelyn Samuels in a statement. “In order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner.”

The resolution agreement does not represent an admission of guilt by St. Elizabeth’s nor does it represent a concession by OCR that the hospital didn’t violate HIPAA regulations. As part of the settlement, St. Elizabeth’s also agreed not to contest the fine.

The corrective action plan requires the hospital perform a self-assessment and follow-up report that surveys employees’ knowledge and compliance with internal policies on:

  • Transmitting ePHI on unauthorized networks
  • Storing ePHI on unsecured networks and devices
  • Removing ePHI from the hospital
  • Prohibiting sharing network accounts and passwords for ePHI storage or access
  • Encrypting portable devices
  • Reporting security incidents


Under the plan, the hospital must perform unannounced inspections of departments, interview at least 15 randomly selected employees who access ePHI, and inspect portable devices used in each department.

St. Elizabeth’s must then submit the findings to OCR along with any recommendations for improving policies, procedures, oversight, and/or training. OCR will review proposed revisions to ensure they comply with the HIPAA Privacy and Security Rules and issue final approval.

The federal agency also outlined reporting requirements, timelines, and a response plan for St. Elizabeth’s if any employees fail to comply with its policies and procedures and cause to another data breach.



Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

    Briefings on APCs
  • Briefings on APCs

    Worried about the complexities of the new rules under OPPS and APCs? Briefings on APCs helps you understand the new rules...

  • HIM Briefings

    Guiding Health Information Management professionals through the continuously changing field of medical records and toward a...

  • Briefings on Coding Compliance Strategies

    Submitting improper Medicare documentation can lead to denial of fees, payback, fines, and increased diligence from payers...

  • Briefings on HIPAA

    How can you minimize the impact of HIPAA? Subscribe to Briefings on HIPAA, your health information management resource for...

  • APCs Insider

    This HTML-based e-mail newsletter provides weekly tips and advice on the new ambulatory payment classifications regulations...

Most Popular