Skip to content

Physician Law Blog

We provide insights and analysis for physicians, nurses, chiropractors, dentists, physical therapists and other health professionals on issues impacting their practices.

Physician Law Blog
July 13, 2015

Happy HIPAA Times - Medical Center Settles with the OCR for Use Of Internet-Based Document Sharing

The OCR announced a settlement of $218,400 along with adoption of a robust plan of correction with St. Elizabeth’s Medical Center (SEMC) of Brighton, MA for alleged HIPAA violations. Before the settlement, SEMC had two different events leading up to it entering the resolution agreement with HHS. The first allegation involved a complaint to the OCR that employees were using an internet-based document sharing application to store ePHI without analyzing the associated security risks, exposing at least 498 individuals’ ePHI.

Physician Law Blog
June 9, 2014

PHI + Home Computers = Possible Breach

Hershey Medical Center announced that it will notify 1,801 patients of a data breach. This privacy breach arose out of an employee’s action, which involved taking data home on a removable storage device to work on a personal computer at home after hours. The employee then used his personal email to send updated data to doctors at the medical center. Because the employee worked with the data on devices and systems without the safeguards and controls of the workplace, the medical center could not rule out the possibility of unauthorized access of the information. While Hershey Medical Center did not believe an unauthorized person accessed the information, it felt it needed to notify the patients.

Physician Law Blog
April 23, 2014

HIPAA Update - OCR Takes Unencrypted Laptops Seriously

OCR issued an update regarding two important HIPAA settlements involving theft of unencrypted laptops. The first involved Concentra Health Systems report of a breach that an unencrypted laptop was stolen from the Springfield Missouri Physical Therapy Center. After concluding that Concentra had previously recognized its lack of encryption in multiple risk analyses, its efforts to protect patient PHI remained vulnerable due to incomplete and inconsistent encryption. As a result, Concentra agreed to pay OCR $1,725,220 to settle the violations and will be implementing a corrective action plan to remediate the findings.