Hospital faced with repeat security failure hit with $218k HIPAA Fine

Does your hospital permit employees to utilize a file-discussing application to keep patients’ protected health information? Better reconsider. A Massachusetts hospital is having to pay up and assessing its security and privacy guidelines following a file-discussing complaint and carrying out a HIPAA breach.

St. Elizabeth’s Clinic working in brighton, Mass. – an associate hospital of Steward Healthcare system – pays $218,400 to work for Civil Privileges for alleged HIPAA violations. The settlement resulted from the 2012 complaint filed by hospital employees, proclaiming that the clinic was utilizing a Web-based document-discussing application to keep data that contains protected health information. Without adequately examining the safety perils of this application, it place the PHI of nearly 500 patients in danger.

“Organizations be forced to pay particular focus on HIPAA’s needs when utilizing Internet-based document discussing programs,” stated Jocelyn Samuels, OCR director, inside a This summer 10 statement announcing the settlement. “To be able to reduce potential risks and weaknesses, all labor force people are required to follow all guidelines and methods, and organizations need to ensure that occurrences are reported and mitigated on time.Inch

It had not been only the complaint that got St. Elizabeth’s in serious trouble, however. A HIPAA breach as reported by the clinic in 2014 also known as focus on the possible lack of sufficient security guidelines. A healthcare facility informed OCR in August of this past year of the breach including unsecured PHI saved around the personal laptop and USB drive of the former hospital worker. The breach ultimately influenced 595 patients, based on a This summer 10 OCR bulletin.

Included in the settlement, St. Elizabeth’s may also be needed to “cure the gaps within the organization’s HIPAA compliance program,” OCR authorities authored within the bulletin. More particularly, including performing a self-assessment of their employees’ awareness and compliance with hospital security and privacy guidelines. Thing about this assessment calls for “surprise visits” to numerous hospital departments to evaluate policy implementations. Authorities may also interview as many as 15 “at random selected” employees with use of PHI. Furthermore, a minimum of three portable products across each department with use of PHI is going to be looked over.

Plus there is the guidelines and training piece area of the settlement. With this particular, St. Elizabeth’s in line with the assessment, will submit modified guidelines and training to HHS for approval.

“You will find no signs that any patient data have been seen or misused by any means,Inch stated a healthcare facility representative within an e-mailed statement. “St. Elizabeth’s Clinic has settled the problem regarding occasions that happened this year and 2014.”

Additionally towards the filed complaint and also the 2014 breach, the clinic also reported an early on HIPAA breach this year when paper documents that contains billing data, charge card amounts and security codes of nearly 7,000 patients weren’t correctly shredded through the hospital. A few of the files that contains the information were apparently found coming inside a area nearby.

Up to now, OCR has levied nearly $26.4 million from covered organizations and business affiliates found to possess violated HIPAA privacy, security and breach notification rules.

The biggest settlement up to now was the whopping $4.8 million fine compensated by New You are able to Presbyterian Hospital and Columbia College Clinic following a single physician accidentally deactivated a whole computer server, leading to ePHI being published on the internet search engines like google.

Comments are closed.