The OCR announced a settlement of $218,400 along with adoption of a robust plan of correction with St. Elizabeth’s Medical Center (SEMC) of Brighton, MA for alleged HIPAA violations. Before the settlement, SEMC had two different events leading up to it entering the resolution agreement with HHS. The first allegation involved a complaint to the OCR that employees were using an internet-based document sharing application to store ePHI without analyzing the associated security risks, exposing at least 498 individuals’ ePHI.
We provide insights and analysis for physicians, nurses, chiropractors, dentists, physical therapists and other health professionals on issues impacting their practices.
Hershey Medical Center announced that it will notify 1,801 patients of a data breach. This privacy breach arose out of an employee’s action, which involved taking data home on a removable storage device to work on a personal computer at home after hours. The employee then used his personal email to send updated data to doctors at the medical center. Because the employee worked with the data on devices and systems without the safeguards and controls of the workplace, the medical center could not rule out the possibility of unauthorized access of the information. While Hershey Medical Center did not believe an unauthorized person accessed the information, it felt it needed to notify the patients.
If you ever wonder if you should be concerned about HIPAA compliance, think about this latest Office of Civil Rights (OCR) settlement with New York Presbyterian Hospital (NYP) and Columbia University Medical Center (CU).
OCR issued an update regarding two important HIPAA settlements involving theft of unencrypted laptops. The first involved Concentra Health Systems report of a breach that an unencrypted laptop was stolen from the Springfield Missouri Physical Therapy Center. After concluding that Concentra had previously recognized its lack of encryption in multiple risk analyses, its efforts to protect patient PHI remained vulnerable due to incomplete and inconsistent encryption. As a result, Concentra agreed to pay OCR $1,725,220 to settle the violations and will be implementing a corrective action plan to remediate the findings.