St. Elizabeth’s Medical Center in Boston, Massachusetts, agreed in July to a $218,000 settlement with the US federal government for being guilty of HIPAA violations, one of which was initially reported in 2012. The investigation of St. Elizabeth’s Medical Center by the Office for Civil Rights division of the Department of Health and Human Services ultimately found 2 separate violations that could have been avoided by the hospital had it been more assertive about implementing policies and technology to avoid the breaches.


St. Elizabeth’s HIPAA Violations

The first of the 2 breaches (which was reported in November, 2012) contributing to the recent settlement involved the sharing of protected healthcare records electronically by St. Elizabeth employess using an unqualified internet-based document sharing application. “Specifically, the complaint alleged that workforce members used an internet-based document sharing application to store documents containing electronic protected health information of at least 498 individuals without having analyzed the risks associated with such a practice,” the OCR statement says.

The second reported HIPAA breach associated with St. Elizabeth’s Medical Center (reported in August of 2014) involved the loss of a computer used by a former St. Elizabeth’s employee. The computer contained unencrypted personal health information (PHI), that affected 595 people, whose personal data was put at risk with the loss of the computer.


Avoiding HIPAA Fines Using Document Management

“Organizations must pay particular attention to HIPAA’s requirements when using internet-based document sharing applications,” Jocelyn Samuels, director of the HHS’s Office for Civil Rights, said in a statement. “In order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner.”

Samuels’ statement implies that there are HIPAA-appropriate implementations of document management software, while there are others, such as in the case of the incident reported here with St. Elizabeth’s Medical Center in Boston, that shouldn’t be used for managing patient records because they lack security necessary features, including encryption strength and user-based roles that limit access to information to only those who require access.


Using eFileCabinet for HIPAA Compliant Management of Patient Records

At eFileCabinet, we support medical practices, hospitals, human resource departments, and other entities that are required to abide by the regulations of HIPAA. Our software is designed to be used in compliance with HIPAA requirements for storing patient data. We also provide support to our clients so that they can implement records management systems that significantly reduce the risk of HIPAA breaches. In our relationships with HIPAA-regulated customers, we even sign an agreement as a Business Associate that includes the guarantee of protection against security threats and commitments to fulfilling other obligations that can help compliance officers feel more at ease in their roles.

If you’d like to learn more about how eFileCabinet can help your healthcare-related organization store patient records in compliance with HIPAA rules, please contact us at 877-574-5505, or fill out the form on this page to have one of our compliance experts contact you to schedule a demo.