Issue link: https://beckershealthcare.uberflip.com/i/549045
37 In the News St. Elizabeth's to Settle Alleged HIPAA Violation By Akanksha Jayanthi CEAA CERTIFIED EQUIPMENT APPRAISAL ASSOCIATES, INC. Call us at (215) 260-2680 for a FREE consultation. For more information, visit us on the web at www.ceaahealthcare.com or email us at ceaahealthcare@aol.com CEAA CERTIFIED EQUIPMENT APPRAISAL ASSOCIATES, INC. Certifi ed Equipment Appraisal Associates, Inc. is a leading nationwide medical equipment appraisal fi rm offering comprehensive medical equipment appraisals for the healthcare industry. We have conducted over 2,000 Healthcare Equipment Appraisal Assignments in all 50 states. We can appraise a single unit of medical equipment to fully equipped private practices, clinics, imaging centers and entire hospitals. On-Site & Desktop Equipment Appraisals for: When Compliance Matters, Get Certifi ed. • Purchase price allocation • Hospital and physician practice valuations • All healthcare equipment types • Stark Law, SBA, FASB & IRS compliance • Lease negotiations • Partnership buyouts • Litigation and expert witness • Asset inventory • Sale of assets • Cost segregation • Financing S t. Elizabeth's Medical Center in Brighton, Mass., has agreed to pay $218,400 to settle an alleged HIPAA violation and to adopt a corrective action plan for its HIPAA compliance program. In November 2012, HHS' Office for Civil Rights received complaints alleging employees at St. Elizabeth's Medical Center, part of Boston-based Steward Health Care, had been using an Inter- net-based document sharing application to store documents containing electronic protected health information of nearly 500 patients without first analyzing the risks associated with the platform. is lack of risk analysis put the PHI at risk. e OCR's investigation into the allegations de- termined the hospital failed to comply with rules to safeguard private patient information. "Organizations must pay particular attention to HIPAA's requirements when using Internet-based document sharing applications," said OCR Direc- tor Jocelyn Samuels in a statement. "In order to reduce potential risks and vulnerabilities, all work- force members must follow all policies and proce- dures, and entities must ensure that incidents are reported and mitigated in a timely manner." In a separate incident, St. Elizabeth's Medical Center notified HHS' OCR in August 2014 of a breach stemming from unsecured electronic PHI on a former employee's personal laptop and flash drive affecting 595 patients. Brooke urston, a spokeswoman for Steward Health Care, told the Boston Globe there is no evidence pa- tient data was inappropriately viewed or misused from either of the security incidents. "All patients that needed to be notified were contacted back when the events occurred," Ms. urston said. "St. Elizabeth's has taken steps to ensure this will not happen again." Concerns with data storage are likely to persist, especially as cloud computing in healthcare con- tinues to gain popularity. A recent report from Sky High found the average healthcare organiza- tion uses 928 cloud applications each month. Matt Fisher, attorney and co-chair of Massachu- setts-based Mirick O'Connell's Health Law Group, says new technologies like cloud computing will require hospitals and health systems to be aware of how such offerings may affect security programs. "e growing use of cloud-based apps and storage options is not a bad thing. However, healthcare orga- nizations need to be cognizant of what services em- ployees are using, or what services the organization itself will help promote," Mr. Fisher said in emailed comments to Becker's Hospital Review. "Before using a cloud service, an organization should vet the ser- vice and ask what is done to protect information in a manner that meets HIPAA standards." While hospitals and health systems are keeping pace with technological advancements, so is the OCR, as evidenced by this incident. "e key lesson learned from this event is that OCR understands the changing digital world and expects hospitals and other healthcare organiza- tions to keep up," Mr. Fisher said. "A hospital can- not sit back and expect that its employees will do the right thing. Accordingly, hospitals should ac- tively assess risks as new developments occur and keep employees informed of the evolving obliga- tions to maintain HIPAA compliance." n