Health IT, Hospitals

HIPAA fine against Mass. hospital, NYT telemedicine story highlight the need to secure data

The HHS Office for Civil Rights fined St. Elizabeth’s Medical Center in Brighton, Mass., in a settlement of HIPAA allegations of lax Internet security, even as The New York Times reported on a health system using Skype.

It was like two ships passing in the night.

As MedCityNews mentioned in Monday’s Morning Read, The New York Times over the weekend ran a feature story about the growth of telemedicine, including how some are using free, consumer-centric platforms like Skype and FaceTime to conduct online consultations.

Clearly unbeknownst to the writer and editor, three days earlier, the HHS Office for Civil Rights had fined St. Elizabeth’s Medical Center in Brighton, Mass., $218,400 in a settlement of allegations of lax Internet security. While not explicitly admitting HIPAA violations, St. Elizabeth’s also agreed to take corrective privacy and security action to prevent future transfer of electronic protected health information over unsecure channels.

Acting on a complaint filed in November 2012, OCR, which enforces the HIPAA privacy and security rules, investigated St. Elizabeth’s for using an unsecured application to share documents containing PHI of at least 498 people. In August 2014, OCR noted, the hospital publicly reported to HHS a breach of unsecured data of 595 people, involving a USB drive and the personal laptop of a former St. Elizabeth’s employee.

The settlement did not cover a breach that St. Elizabeth’s, part of Boston-based Steward Health Care, reported in April 2012. In that incident, the hospital notified more than 6,800 patients that billing information — not health data — on paper may have been exposed.

The app in question at St. Elizabeth’s was not Skype, FaceTime or anything else for videoconferencing, but those two platforms are not secure for HIPAA purposes. CHI Franciscan Health in Tacoma, Wash., had better hope that its telemedicine vendor, Carena, obtained the proper consent from the patient (likely) and, better yet, found a secure version of Skype to use.

Photo: Flickr user Nick Carter