HIPAA settlement highlights cloud risks

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently announced its HIPAA settlement with St. Elizabeth’s Medical Center (SEMC) of Brighton, MA, requiring SEMC to pay $218,400 and adopt a corrective action plan addressing gaps in SEMC’s HIPAA compliance program. The settlement serves as a warning for organizations to pay particular attention to HIPAA’s requirements when using cloud-based services.

The settlement resolves OCR findings that SEMC employees used an Internet-based document sharing application to store documents containing electronic protected health information (ePHI) without analyzing the risks of using this application (in violation of the Security Rule risk management requirement), and that SEMC failed to respond promptly to identify and respond to a separate security incident.

OCR Director Jocelyn Samuels warned HIPAA covered entities and business associates that “[o]rganizations must pay particular attention to HIPAA’s requirements when using [I]nternet-based document sharing applications. In order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner.”