A recent HIPAA enforcement action highlights the risk of health care providers using unsecured applications to store and share patient data. HHS reached a $218,499 settlement with St. Elizabeth’s Medical Center in Brighton, Massachusetts, a tertiary care hospital that offers both inpatient and outpatient services. The enforcement action followed allegations made to HHS in 2012 that the hospital was using an unsecured internet-based document-sharing application to store documents containing patients’ electronic protected health information, without properly analyzing the security risks. In a separate incident in 2014, the hospital also reported a breach of unsecured PHI involving a former hospital employee’s laptop and flash drive.

In addition to paying a monetary fine, the hospital agreed to undertake corrective action measures, including ensuring that no PHI is stored on unauthorized networks, such as on unsecured devices and laptops, implementing robust HIPAA policies, and carrying out enhanced workforce training.

As more and more internet-based and mobile applications that allow the sharing of health information come online, the St. Elizabeth’s enforcement action should put covered entities and business associates on notice that their use or distribution of these applications must meet the requirements of the HIPAA Security rule if PHI is involved. HHS cautions that covered entities and business associates must take particular care with internet-based document-sharing applications.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Covington Digital Health Team

Stakeholders across the healthcare, technology and communications industries seek to harness the power of data and information technology to improve the effectiveness and efficiency of their products, solutions and services, create new and cutting-edge innovations, and achieve better outcomes for patients. Partnering with…

Stakeholders across the healthcare, technology and communications industries seek to harness the power of data and information technology to improve the effectiveness and efficiency of their products, solutions and services, create new and cutting-edge innovations, and achieve better outcomes for patients. Partnering with lawyers who understand how the regulatory, IP, and commercial pieces of the digital health puzzle fit together is essential. Covington offers unsurpassed breadth and depth of expertise and experience concerning the legal, regulatory, and policy issues that affect digital health products and services. To learn more, click here.