Share this article on:
The Department of Health and Human Services’ Office for Civil Rights (OCR) has agreed to settle a HIPAA violation case with the Santa Barbara, CA-based healthcare provider Cottage Health for $3,000,000.
Cottage Health operates four hospitals in California – Santa Barbara Cottage Hospital, Santa Ynez Cottage Hospital, Goleta Valley Cottage Hospital and Cottage Rehabilitation Hospital.
In 2013 and 2015, Cottage Health experienced two security incidents that resulted in the exposure of the electronic protected health information (ePHI) of 62,500 patients.
In 2013, Cottage Health discovered a server containing patients’ ePHI had not been properly secured. Files containing patients’ ePHI could be accessed over the internet without the need for a username or password. Files on the server contained patient names, addresses, dates of birth, diagnoses, conditions, lab test results and other treatment information.
Another server misconfiguration was discovered in 2015. After responding to a troubleshooting ticket, the IT team removed protection on a server which similarly exposed patients’ ePHI over the internet. Patient names, addresses, dates of birth, social security numbers, diagnoses, conditions, and other treatment information could all be accessed without a username or password.
OCR investigated the breaches and Cottage Health’s HIPAA compliance efforts. OCR determined that Cottage Health had failed to conduct a comprehensive, organization-wide risk analysis to determine risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI, as required by 45 C.F.R. § 164.308(a)(l)(ii)(A).
Risks and vulnerabilities had not been reduced to a reasonable and acceptable level, as required by 45 C.F.R. § 164.308(a)(l )(ii)(B).
Periodic technical and non-technical evaluations following environmental or operational changes had not been conducted, which violated 45 C.F.R. § 164.308(a)(8).
OCR also discovered Cottage Health had not entered into a HIPAA-complaint business associate agreement (BAA) with a contractor that maintained ePHI: A violation of 45 C.F.R. § 164.308(b) and 164.502(e).
In addition to the financial penalty, Cottage Health has agreed to adopt a 3-year Corrective Action Plan (CAP). The CAP requires Cottage Health to conduct a comprehensive, organization-wide risk analysis to determine all risks to the confidentiality, integrity, and availability of ePHI. Cottage Health must also develop and implement a risk management plan to address all security risks and vulnerabilities identified during the risk analysis. The risk analysis must be reviewed annually and following any environmental or operational changes. A process for evaluating environmental or operational changes must also be implemented.
Cottage Health must also develop, implement, and distribute written policies and procedures covering the HIPAA Privacy and Security Rules and must train all staff on the new policies and procedures. Cottage Health must also report to OCR annually on the status of its CAP for the following three years.
“Our record year underscores the need for covered entities to be proactive about data security if they want to avoid being on the wrong end of an enforcement action,” said OCR Director Roger Severino. “The Cottage settlement reminds us that information security is a dynamic process and the risks to ePHI may arise before, during, and after implementation covered entity makes system changes.”
A Record Year for HIPAA Fines and Settlements
It has been a busy year of HIPAA enforcement for OCR. In 2018, 10 settlements have been agreed with HIPAA-covered entities and business associates in response to violations of HIPAA Rules and one civil monetary penalty has been issued. The 11 financial penalties totaled $28,683,400, which exceeded the previous record of $23,505,300 set in 2016 by 22%.
2018 also saw OCR agree the largest ever HIPAA settlement in history. Anthem Inc., settled alleged violations of HIPAA Rules for $16,000,000. The settlement was almost three times larger than the previous record – The $5.5 million settlement with Advocate Health Care Network in 2016.
Further Information: 2018 HIPAA Fines and Settlements