It is troubling to still find so many healthcare organizations not adequately securing their ePHI. The case in point this time is St. Elizabeth’s Medical Center (SEMC) in Brighton, MA.
On July 08 2015, SEMC agreed to pay $214,800 in penalties to HHS/OCR for non-compliance with HIPAA’s security regulations and agreed to a corrective action plan to cure gaps in the organization’s HIPAA compliance program.
So, how was SEMC found non-compliant?
1) The complaint alleged that workforce members used an internet-based document sharing application to store documents containing electronic protected health information (ePHI) of at least 498 individuals, without having analyzed the risks associated with such activity.
2) OCR’s investigation determined that SEMC failed to timely identify and respond to the known security incident, mitigate the harmful effects of the security incident, and document the security incident and its outcome.
3) On August 25, 2014, SEMC submitted
to HHS OCR regarding a breach of unsecured ePHI stored on a former SEMC workforce member’s personal laptop and USB flash drive, affecting 595 individuals.
Conducting a Security Risk Analysis and mitigating the gaps found once a year, along with staff training on HIPAA security awareness, are among the most effective ways to safeguard against incidents, such as the above, and avoid penalties for non-compliance.
More info can be found at:
Learn about EHR 2.0’s HIPAA Security Risk Analysis Services:
Learn about EHR 2.0’s HIPAA/HITECH Security Awareness Training:
Call with any questions on how EHR 2.0 can help secure your ePHI: 866 276 8307
Latest posts by EHR 2.0 (see all)
- Trump Administrations’ Effect on Healthcare Organizations - January 23, 2017
- HIPAA Fine for Lack of Timely Breach Notification - January 11, 2017
- HIPAA Compliance 2016 Year in Review - January 9, 2017