[ Monday, July 13, 2015 ]
St. Elizabeth (Brighton, MA) breach:
Jeff [1:59 PM]
Not having policies and procedures, not vetting internet-based document storage apps (e.g., Dropbox), and losing laptops and flash drives can cost you a quarter million dollars. At least that's what it cost St. Elizabeth Medical Center
What's interesting to note in the settlement agreement is that it was not simply using Dropbox (or whatever app they were using) that resulted in the violation, it was that they didn't do a risk analysis on whether they should use it. I suspect that if they had done a risk analysis and reasonably determined that using Dropbox was safe (maybe the data was mostly de-identified, maybe the Dropbox access was tightly controlled and audited, maybe some other safeguards made is palatable), OCR wouldn't have fined them, or at least not this much.
Failing to have done a risk analysis on using Dropbox might also indicate that SEMC didn't do other risk analyses; at any rate, not doing one on the Dropbox use eliminates their ability to claim that it was safe regardless.
I can't urge more strongly that you do a risk analysis, and redo it regularly (probably every year, unless you've got a really good reason to wait longer).
Blogger: HIPAA Blog - Edit your Template