HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases



  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation


Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos



Hospital fined for disregard of HIPAA rules, agrees to corrective action plan

Email This Post Print This Post

hosp01St. Elizabeth’s Medical Center in Boston has agreed to a corrective action plan and civil fine of $218,400 with OCR to address deficiencies in its HIPAA compliance program following employee practices at the hospital that exposed ePHI on more than 1,000 patients.

OCR initially received a complaint in November 2012 that hospital employees were allegedly storing patient records containing PHI in an unsecure online document sharing application without analyzing the risks of doing so, according to a July 8 resolution agreement between OCR and St. Elizabeth’s. Those documents contained the ePHI of at least 498 patients.

The federal agency notified the hospital, which is part of Steward Health Care, of the complaint and its investigation in February 2013. The hospital then self-reported a different data breach to OCR in August 2014. At that time, St. Elizabeth’s revealed unsecured ePHI of 595 patients was found stored on a former employee’s personal laptop and USB flash drive.

A second investigation was launched into the hospital’s compliance with HIPAA rules in November 2014, and ultimately, the results of those two probes found St. Elizabeth’s essentially neglected to take action once it learned of the breaches.

Leave a Reply