In a relatively short time period, the direct costs of document storage have dropped precipitously, and cloud-based document storage has become ubiquitous. Clearly, this is a wave of the future. But a recent settlement agreement between the Office of Civil Rights and a Boston area hospital should make it plain that, when it comes to electronic protected health information, mobile devices and cloud-based storage apps carry significant risk.
On July 8, 2015, the U.S. Department of Health and Human Services, Office for Civil Rights and St. Elizabeth’s Medical Center entered into a settlement agreement following an investigation into a complaint regarding the hospital’s use of an internet-based app used for sharing ePHI. Executed nearly three years after a St. Elizabeth workforce member originally submitted a complaint to OCR, the settlement agreement requires St. Elizabeth’s to pay $218,400 to OCR and implement a significant corrective action plan focused on alleged deficiencies in the hospital’s compliance practices.
The November 16, 2012 complaint alleged that a St. Elizabeth’s internet-based document sharing application stored documents containing ePHI of at least 498 individuals. Subsequently, on August 25, 2014, the hospital notified OCR that a breach of unsecured ePHI stored on a former St. Elizabeth’s workforce member’s personal laptop and USB flash drive affected 595 individuals.
The July 8, 2015 agreement does not contain an admission by St. Elizabeth’s of liability or of any facts or violations; however, it does document OCR claims that St. Elizabeth’s allegedly:
- disclosed the PHI of at least 1,093 individuals;
- failed to implement sufficient security measures regarding the transmission of and storage of ePHI to reduce risks and vulnerabilities to a reasonable and appropriate level; and
- failed to timely identify and respond to a known security incident, mitigate the harmful effects of the security incident, and document the security incident and its outcome.
The allegation that the hospital knew of a security incident and failed to effectively respond to it was an important factor in this settlement.
In the years since OCR first received the 2012 complaint, cloud-based shared storage sites—such as Dropbox, Google Drive, and Blackboard Connect—have proliferated. Cloud-based storage sites may not meet HIPAA requirements if they use inadequate security controls easily manipulated to allow unauthorized access to ePHI and susceptible to malware and/or harmful social engineering (i.e. fraudulent emails and notifications luring authorized users to grant access to outside parties).
In particular, there is risk that multi-device and multi-computer access of some cloud-based storage sites could be construed by OCR as failing to protect against reasonably anticipated threats or hazards to the security or integrity of such information. While health care entities and their business associates can benefit from the efficiencies that these tools create, they must be vigilant in assuring they are HIPAA compliant. Covered entities should consider restrictions on the use of cloud-based shared storage sites outside of the entities’ own IT infrastructure, including prohibitions on storing and transmitting ePHI through non-approved or non-HIPAA compliant sites.
For further information, the HHS Office of the National Coordinator for Health Information Technology has published a “Guide to Privacy and Security of Electronic Health Information.”