Barnes & Thornburg LLP: HIPAA Settlement – Improper Storage Of EPHI

Barnes & Thornburg LLP: HIPAA Settlement – Improper Storage Of EPHI


By Stacy L. Cook

On July 10, 2015, the Office for Civil Rights (OCR) announced a HIPAA settlement with St. Elizabeth’s Medical Center (SEMC), a tertiary care hospital in Brighton, Massachusetts. SEMC has agreed to pay $218,400 and adopt a robust corrective action plan. 

The settlement is the result of two alleged violations. First, SEMC workforce members filed a complaint of a HIPAA violation with the OCR in late 2012, alleging that workforce members used an internet-based document sharing application to store documents that contained the electronic protected health information (EPHI) of almost 500 individuals. OCR determined that in addition to the document storage issue, SEMC failed to timely identify and respond to this known security incident, mitigate the harm, and document the incident and its outcome. Second, in an unrelated event, on August 24, 2014, SEMC reported a breach of unencrypted EPHI contained on a laptop and USB flash drive of a former SEMC workforce member, which affected 595 individuals. 

In the settlement SEMC did not admit to any violations. In its announcement of the settlement, the OCR emphasized that organizations must pay particular attention to HIPAA’s requirements when using internet-based document sharing applications. In addition, this settlement is one of many examples of a breach caused by unencrypted mobile devices.

Stacy Cook

Stacy L. Cook is a partner in the Healthcare Department in the firm’s Indianapolis, Indiana office. Ms. Cook concentrates her practice on regulatory and transactional issues, including fraud and abuse laws, billing and reimbursement, HIPAA compliance, and related litigation matters, involving a wide variety of healthcare providers, including physicians, pharmacists, wholesale drug distributors, pharmacies, psychologists, physical therapists, hospital medical staffs and long-term care facilities. She has extensive experience in representing healthcare providers before state and federal healthcare regulatory agencies and she assists clients in responding to privacy and security breaches, government investigations and audits, as well as repayment inquiries and internal and external audits.

For more information about LexisNexis products and solutions, connect with us through our corporate site