OCR Hits Nonprofit with $2.14 Million HIPAA Fine
An improperly configured server landed a healthcare system a $2.14 million HIPAA settlement fine, the Office for Civil Rights (OCR) announced October 18.
St. Joseph Health (SJH), a California-based nonprofit healthcare delivery system sponsored by the St. Joseph Health Ministry, agreed to the settlement and a strict corrective action plan (CAP) after OCR’s investigation of the initial breach revealed systemic organizationwide noncompliance.
In February 2012, SJH reported a breach affecting 31,800 individuals. Some files created to support SJH’s participation in meaningful use were stored on a server the organization purchased specifically to host them. The server came with a file sharing application that, when left at the default setting, allowed unrestricted access to anyone with an internet connection.
SJH uploaded files to the application but did not modify or even examine the application’s settings, OCR said, leaving the electronic protected health information (ePHI) stored on the server available via Google and other search engines from February 2011 to February 2012. The files contained detailed information including:
- Advance directive status
- Blood pressure
- BMI
- Diagnoses
- Lab results
- Names
According to the Security Rule, bringing in a new server represents an environmental or operational change that must trigger a technical and nontechnical evaluation. OCR’s investigators discovered that SJH did not conduct an evaluation until July 2012. And, as with many other organizations hit by HIPAA fines this year, SJH also failed to perform a thorough and organizationwide risk analysis. SJH hired contractors to perform risk analyses but no single risk analysis was comprehensive.
SJH must perform an organizationwide risk analysis and inventory of all electronic assets that store ePHI and submit documentation to HHS within 240 days, according to the terms of the CAP. SJH also agreed to develop and implement a risk management plan, update policies and procedures, train staff, and submit these documents to HHS for approval. In one year, SJH will submit an annual report to HHS detailing its compliance with the terms of the CAP.