The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced that Oregon Health & Science University (OHSU) has agreed to settle multiple potential HIPAA violations which contributed to the potential disclosure of protected health information on a number of occasions. The OHSU HIPAA violation settlement is one of the largest of 2016. OHSU is required to make a monetary payment of $2.7 million to the OCR and must adopt a rigorous 3-year corrective action plan.
Multiple Preventable PHI Breaches Experienced in A Short Space of Time
The OCR conducted an HIPAA breach investigation into OHSU after receiving multiple reports of PHI breaches that resulted in the exposure of thousands of patients’ protected health information (PHI). In a relatively short space of time, OHSU submitted three breach reports to the OCR. Two unencrypted laptop computers were reported stolen, as was a portable storage device (Thumb drive) containing patients’ PHI.
OHSU also experienced a potential breach of more than 3,000 individuals’ PHI after it was discovered that data had been stored on a cloud based server without OHSU entering into a business associate agreement with the provider of that service prior to ePHI being stored.
The latter breach was particularly serious due to the sensitive nature of the data involved. The PHI potentially exposed included payment information, credit card numbers, Social Security numbers, Driver’s license numbers, photos, medical diagnoses, and medical procedures – more than enough data to cause individuals to suffer considerable harm if the data were obtained by criminals. OCR investigators determined that 1,361 individuals faced a significant risk of harm as a result of the actions of OHSU staff.
OHSU HIPAA Violation Settlement Covers Multiple HIPAA Violations
OCR investigators confirmed that OHSU had performed risk analyses – a requirement of the HIPAA Security Rule – on numerous occasions, typically every two years. The first risk analysis was performed in 2003, followed by risk analyses in 2005, 2006, 2008, 2010, and 2013. However, those risk analyses were incomplete and failed to cover all systems in OHSU’s enterprise that contained ePHI – a violation of the HIPAA Security Rule.
The risk analyses identified a number of risks to the integrity, security, and availability of ePHI, yet OHSU failed to address those vulnerabilities in a timely manner and to an appropriate level, according to the OHSU HIPAA violation settlement agreement.
HIPAA does not require covered entities to use encryption; however, data encryption is an addressable issue in the HIPAA Rules. If an organization does not wish to use data encryption to protect ePHI, alternative measures must be used to keep ePHI secured. The OCR determined that “[OHSU] failed to implement a mechanism to encrypt and decrypt ePHI or an equivalent alternative measure for ePHI maintained on its workstations, despite having identified this lack of encryption as a risk.”
Investigators also discovered that OHSU lacked appropriate policies and procedures to prevent, detect, contain, and correct security violations.
After discovering security vulnerabilities during its risk analyses, OHSU had ample opportunity to correct the issues prior to the data breaches occurring, yet failed to do so. OCR Director Jocelyn Samuels pointed out that the OHSU HIPAA violation settlement “underscores the importance of leadership engagement and why it is so critical for the C-suite to take HIPAA compliance seriously.”
Details of the OHSU HIPAA violation settlement have been published on the HHS website. The full OHSU HIPAA violation settlement agreement and details of the CAP can be viewed here.