By Steve Spearman, Founder and Chief Security Consultant for Health Security Solutions
Twitter: @HIPAASolutions
Host of HIPAA Chat – Register for Aug. 21 Event
On July 8, 2015, St. Elizabeth’s Medical Center of Brighton, Massachusetts, agreed to pay $218,400 to the Department of Health and Human Services in a HIPAA violation settlement. According to the official Resolution Agreement, HHS received complaints that St. Elizabeth’s was storing at least 498 patients’ ePHI on an unnamed, internet-based document sharing application (presumably Dropbox, as it’s the most popular file-sharing application that is not HIPAA compliant). Although HHS notified St. Elizabeth’s about the noncompliance in February 2013, the center gave little heed to the warning. Little more than a year later, in August 2014, St. Elizabeth’s reported a breach that occurred when a former employee’s personal laptop and USB drive were compromised, both of which, together, contained the unsecured ePHI of 595 patients. In total, these two separate incidents resulted in compromised ePHI for St. Elizabeth’s 1,093 patients.
Now, nearly a year later, the case has been settled out of court. The cost? St. Elizabeth’s Medical Center must pay a $218,400 fine and follow a corrective action plan to remedy the training and IT errors that may have led to the breaches.
As part of this corrective action plan, St. Elizabeth’s must perform a self-assessment or hire someone to assess them and then send the assessment report to HSS, who will determine “if” (how) they need to change their policies. If, after the assessment, St. Elizabeth’s decides that it needs to change employee training methods, they must submit their revised plans to HHS for approval.
Moreover, if St. Elizabeth’s discovers that one of its employees has violated the new regulations, the center must give a detailed report of the incident to the HHS. One year after reforming its system, St. Elizabeth’s must send an implementation report to the HHS and any time the HHS requests documents connected to this corrective action for the next six years.
The use of file sharing services is wildly popular in healthcare. However, the real question is whether HIPAA allows the use of such services. The answer is yes, as long as the service is willing to sign a Business Associate Agreement (BAA) and comply with HIPAA security rules as required by the BAA.
Box.com has been a leader in this space for the last few years. This platform, to my knowledge, was the first file-sharing service that indicated a willingness to sign a BAA and has gone to great lengths to demonstrate credibility in the healthcare arena. In addition, the service at Box.com is feature-rich, supporting a number of tools such as audit controls and robust authentication options that should make it appealing to many healthcare organizations. Box.com has also been assessed and certified by the Cloud Security Alliance.
Google Drive is another relatively inexpensive alternative but has a more limited feature set. Google was very slow to agree to the BAA requirement and has not been as forthcoming about how it is complying with the regulations.
The real story here is the use of noncompliant file-sharing services resulting in a HIPAA violation for St. Elizabeth’s Medical Center. Failure to use an appropriate, HIPAA compliant platform was at the root of the two breaches that occurred, and ultimately, this noncompliance led to a legal settlement and increased government oversight.
File-sharing services that comply with HIPAA regulations are available, and, as evidenced by St. Elizabeth’s recent compliance issues, they are certainly worth the investment. We have provided a bit of guidance on a few services that are considered HIPAA compliant, but stay tuned for a more in-depth article on File Sharing services!
If you have any questions about general HIPAA compliance or whether your organization is using an appropriate file-sharing service, don’t hesitate to contact us here!
You can read St. Elizabeth’s Resolution Agreement here.
This article was originally published on Health Security Solutions and is republished here with permission.Steve Spearman hosts HIPAA Chat, a show produced by HITECH Answers airing on our Internet radio station, HealthcareNOWradio.com. Learn more about HIPAA Chat or download podcasts of the show. Find out more about attending the next taping of HIPAA Chat and ask your questions directly to Steve.