Share this article on:
The Department of Health and Human Services’ Office for Civil Rights has announced it has agreed to settle potential violations of the HIPAA Privacy and Security Rules with St. Joseph Health (SJH). SJH is required to pay $2.140,500 to OCR and adopt a corrective action plan (CAP) to bring policies and procedures up to the standard demanded by HIPAA.
SJH is a not-for-profit integrated Catholic health care delivery system sponsored by the St. Joseph Health Ministry. SJH provides a wide range of medical services throughout California, New Mexico and Texas though 14 acute care hospitals and numerous community clinics, skilled nursing facilities, and home health agencies.
SJH was investigated following an ePHI breach reported to OCR on February 14, 2012. Files containing ePHI were created by SJH under the Meaningful Use Program; however, those files were left unprotected and accessible on the Internet for more than a year from February 1, 2011 to February 13, 2012. The PDF files had been indexed by Google – and potentially other search engines. During that time the ePHI of 31,800 individuals was exposed.
The exposure of ePHI occurred as a direct result of the failure of SJH to conduct a comprehensive risk analysis and a security assessment on a server prior to using it to share files containing ePHI. The server had been purchased and a file sharing application installed, yet no changes were made to the application. The default security settings were left in place, which allowed any individual with an Internet connection to gain access to the ePHI in the files.
SJH had hired contractors to assess risks and identify security vulnerabilities that could potentially be exploited to gain access to ePHI, but OCR investigators determined those assessments were “conducted in a patchwork fashion and did not result in an enterprise-wide risk analysis,” which violated the HIPAA Security Rule.
Announcing the settlement, OCR Director Jocelyn Samuels said “Entities must not only conduct a comprehensive risk analysis, but must also evaluate and address potential security risks when implementing enterprise changes impacting ePHI” She went on say “The HIPAA Security Rule’s specific requirements to address environmental and operational changes are critical for the protection of patient information.”
2016 is a record-breaking year for HIPAA settlements. To date, OCR has entered into 12 settlements with covered entities in 2016, with covered entities paying more than $22,855,000 to OCR to resolve potential HIPAA violations discovered during data breach investigations.
As Samuels explained in a recent blog post, ”We hope that our resolution agreements will provide a template for other health care entities to take the proactive steps necessary to ensure compliance with HIPAA requirements.”