A recent HIPAA enforcement action highlights the risk of health care providers using unsecured applications to store and share patient data. HHS reached a $218,499 settlement with St. Elizabeth’s Medical Center in Brighton, Massachusetts, a tertiary care hospital that offers both inpatient and outpatient services. The enforcement action followed allegations made to HHS in 2012 that the hospital was using an unsecured internet-based document-sharing application to store documents containing patients’ electronic protected health information, without properly analyzing the security risks. In a separate incident in 2014, the hospital also reported a breach of unsecured PHI involving a former hospital employee’s laptop and flash drive.

In addition to paying a monetary fine, the hospital agreed to undertake corrective action measures, including ensuring that no PHI is stored on unauthorized networks, such as on unsecured devices and laptops, implementing robust HIPAA policies, and carrying out enhanced workforce training.

As more and more internet-based and mobile applications that allow the sharing of health information come online, the St. Elizabeth’s enforcement action should put covered entities and business associates on notice that their use or distribution of these applications must meet the requirements of the HIPAA Security rule if PHI is involved. HHS cautions that covered entities and business associates must take particular care with internet-based document-sharing applications.