US Department of Health and Human Services

By Jennifer Archie, Susan Ambler Ebersole, and Kasey Branam

Alleged HIPAA Violations Resulted from Medical Center’s Failure to Risk Assess Internet-Based Document Sharing Application and Inadequate Breach Response

The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) reached a settlement in the form of a Resolution Agreement and Corrective Action Plan (CAP) with St. Elizabeth’s Medical Center (SEMC) in July arising out of two alleged security breach incidents in violation of the HIPAA Security Rule. While the settlement amount paid pursuant to the Resolution Agreement was relatively small in comparison to other recent Resolution Agreements announced by OCR, this one is notable for the fact that one of the breaches related to SEMC’s use of an internet-based document sharing application. According to the complaint filed with OCR, SEMC workforce members used an internet-based document sharing application to store documents containing electronic protected health information (ePHI) of at least 498 individuals.  However, it appears that this practice and the cloud-based document sharing application itself were not included in SEMC’s risk analysis of “the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information,” as required under HIPAA at 45 C.F.R. § 164.308. OCR determined from its investigation that SEMC not only failed to risk assess the application, but it also failed to timely identify and respond once it became aware of its employees’ practice of storing ePHI on the application, failed to mitigate the harmful effects of the incident, and failed to document the security incident and its outcome.