$2.14 Million St. Joseph Health HIPAA Settlement Announced

The Department of Health and Human Services’ Office for Civil Rights (OCR) has agreed to a $2.14 million St. Joseph Health HIPAA settlement after a data breach investigation uncovered serious violations of the HIPAA Security Rule.

St Joseph Health, which is sponsored by the St. Joseph Health Ministry, operates 14 acute care hospitals in California, New Mexico, and Texas, in addition to many skilled nursing facilities, hospices, home health agencies, and community clinics.

St Joseph Health participated in the Meaningful Use Program and transitioned to electronic health records; however, as part of that process, the electronic protected health information (ePHI) of 31,800 patients was accidentally exposed.

In early 2012, St. Joseph Health discovered a data sharing application on one of its servers had been left unprotected for just over a year. The server was used to store PDF files containing the ePHI of patients; however, the application used to share those documents had not been reconfigured after installation. The default security settings allowed the PDF files to be accessed by any individual on the Internet. Further, those PDF files had been indexed by Google and potentially other search engines. Between February 1, 2011 and February 12, 2012 the documents could be accessed by any individual with an Internet connection. Data in the documents included the names of patients, medical diagnoses, health statuses, and patient demographics.

Under the HIPAA Security Rule, the integrity, confidentiality, and availability of ePHI must be safeguarded at all times. HIPAA-covered entities must conduct a comprehensive, organization-wide risk analysis to identify potential risks to ePHI and action must be taken to address those risks.

While St Joseph Health had performed the risk analysis, OCR found that it had been conducted in a “patchwork fashion” by third party contractors and did not comply with the requirements of the HIPAA Security Rule. St Joseph Health had also failed to conduct a security assessment of a new server and file sharing application which were installed as part of its Meaningful Use project. According to OCR, “Evidence indicated that SJH failed to conduct an evaluation in response to the environmental and operational changes presented by implementation of a new server for its meaningful use project, thereby compromising the security of ePHI.”

The $2.14 million St. Joseph Health HIPAA settlement resolves potential HIPAA violations which directly contributed to the exposure of ePHI. The St. Joseph Health HIPAA settlement also includes a robust corrective action plan (CAP). The CAP requires St. Joseph Health to conduct an enterprise-wide risk analysis, implement new policies and procedures, train staff on those policies and procedures, and develop and implement a risk management plan.

OCR Director Jocelyn Samuels said “Entities must not only conduct a comprehensive risk analysis, but must also evaluate and address potential security risks when implementing enterprise changes impacting ePHI,” Samuels went on to say “The HIPAA Security Rule’s specific requirements to address environmental and operational changes are critical for the protection of patient information.”

OCR investigates all data breaches impacting more than 500 individuals, although in most cases those investigations have not resulted in civil monetary penalties or settlements with covered entities. OCR prefers to resolve compliance issues with technical assistance to ensure data security standards are improved to the level demanded by HIPAA.

Financial penalties are only issued in the most serious cases where widespread non-compliance with HIPAA Rules is uncovered. However, over the past two years, OCR has stepped up its enforcement efforts. The latest announcement brings the total number of HIPAA settlements for 2016 up to 12. Double the number of settlements reached in each of the past three years.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news