HIPAA settlement highlights cloud risks

Blog Post
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently announced its HIPAA settlement with St. Elizabeth’s Medical Center (SEMC) of Brighton, MA, requiring SEMC to pay $218,400 and adopt a corrective action plan addressing gaps in SEMC’s HIPAA compliance program. The settlement serves as a warning for organizations to pay particular attention to HIPAA’s requirements when using cloud-based services.

The settlement resolves OCR findings that SEMC employees used an Internet-based document sharing application to store documents containing electronic protected health information (ePHI) without analyzing the risks of using this application (in violation of the Security Rule risk management requirement), and that SEMC failed to respond promptly to identify and respond to a separate security incident.

OCR Director Jocelyn Samuels warned HIPAA covered entities and business associates that “[o]rganizations must pay particular attention to HIPAA’s requirements when using [I]nternet-based document sharing applications. In order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner.”
Jump to Page

McDonald Hopkins uses cookies on our website to enhance user experience and analyze website traffic. Third parties may also use cookies in connection with our website for social media, advertising and analytics and other purposes. By continuing to browse our website, you agree to our use of cookies as detailed in our updated Privacy Policy and our Terms of Use.