A hospital in Brighton, Massachusetts will pay $218,400 to the government in a settlement of a potential HIPAA violation.
The case stemmed from a complaint in 2012 that St. Elizabeth’s Medical Center was using an internet document-sharing application to store the protected health information, or PHI, of at least 498 people, according to modernhealthcare.com.
The settlement includes an action plan to fix other problems St. Elizabeth’s Medical Center has had with HIPAA compliance. In separate incidents the hospital also reported the breach of 6,831 patients’ identifiable records on paper or film and a stolen laptop with 595 identifiable records.
This was not the first time the Office for Civil Rights has punished a healthcare provider for using Web-based services. In 2012 Phoenix Cardiac Surgery paid $100,000 in a settlement after not having a business associate agreement with the providers of an email service.
Campus Safety Magazine reported earlier this year on the 2013 amendment to HIPAA that requires all business associates to comply with the Department of Health and Human Services’ regulations. Under the amendment providers must have an agreement with business associates on the handling of PHI. In recent cases the Office for Civil Rights has made it clear that various internet service providers qualify as business associates.
An OCR spokeswoman urged organizations to pay attention to HIPAA regulations when using document-sharing applications on the internet.