Health Center Agrees to $2.7 Million HIPAA Fine

July 28, 2016
News & Insights

An Oregon academic health center agreed to a $2.7 million HIPAA violation settlement fine and corrective action plan (CAP) after a breach investigation revealed serious HIPAA vulnerabilities throughout the organization, HHS said in a statement released July 18.

Oregon Health and Science University (OHSU) reported two separate breaches of protected health information (PHI) to HHS in 2013. The first breach occurred when an unencrypted laptop containing the PHI of 4,022 individuals was stolen. In the second incident, OHSU reported that from January 2011 to July 2013 it stored some patients’ PHI on a cloud service OHSU did not have a business associate agreement (BAA) with. Of the 3,044 individuals affected by the cloud service breach, OCR determined that 1,361 were at significant risk of harm due to the sensitive nature of their diagnoses. Information stored on the cloud server included individuals’:

  • Credit card and payment information
  • Diagnoses and procedures
  • Driver’s license numbers
  • Names
  • Photos
  • Social Security numbers

OCR’s investigation found that although OHSU had conducted risk analyses, the analyses did not look at all of the organization’s electronic PHI (ePHI) and OHSU did take reasonable measures to address identified vulnerabilities in a timely manner. Significantly, OHSU did not encrypt ePHI despite identifying unencrypted ePHI as a vulnerability. Additionally, OCR found that OHSU had no policies regarding the prevention, detection, or containment of security violations.

OHSU must conduct an organizationwide risk analysis and develop, and act on, a risk management plan based on the results, according to the terms of the CAP.

The breach settlement highlights the importance of leadership engagement and support in security management programs, HHS said in its statement. Simply conducting a risk analysis and making note of security vulnerabilities does not fulfill an organization’s obligations under HIPAA. An organization’s leadership must provide the support and resources necessary to mitigate vulnerabilities identified in the risk analysis.

OHSU plans to work with an external information security consultant and create a multidisciplinary steering committee to help the organization fulfill the CAP, OHSU said in a statement.

Related Topics: 
HIM/HIPAA