Oregon Health & Science University (OHSU), Oregon’s only academic health center comprising two hospitals and multiple general and specialty clinics, has agreed to pay a penalty of $2.7 million to settle alleged HIPAA violations.
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) commenced an investigation after OHSU submitted multiple breach reports impacting thousands of individuals. OCR uncovered evidence of widespread vulnerabilities within the health care system’s HIPAA compliance program, and OCR’s findings provide a virtual checklist of what a HIPAA covered entity or business associate should not do. Specifically, OCR found that OHSU:
Used unencrypted laptops. Two breach reports involved the loss or theft of unencrypted laptops. In one case, an unencrypted laptop was taken from a vacation apartment in Hawaii being rented by an OHSU physician. The computer contained protected health information (PHI) of more than 4,000 patients.
Used unencrypted thumb drives. Another large breach involved a stolen, unencrypted thumb drive.
Stored PHI in the “cloud” without having a Business Associate Agreement with the vendor. OHSU stored the PHI of more than 3,000 patients on a cloud-based server, but without ensuring the protection of that data through a HIPAA business associate agreement with the internet-based service provider. OCR found significant risk of harm to 1,361 of these individuals due to the sensitive nature of their diagnoses. In addition to a variety of PHI, the server stored credit card and payment information, diagnoses, procedures, photos, driver’s license numbers and Social Security numbers.
Performed HIPAA risk analyses that did not cover all PHI in the OHSU system. Despite performing risk analyses in 2003, 2005, 2006, 2008, 2010, and 2013, OCR’s investigation found the analyses did not cover all PHI in OHSU’s enterprise, as required by the Security Rule.
Failed to timely implement measures to address the documented risks and vulnerabilities identified in the risk assessments it had performed.
Failed to implement policies and procedures to address security incidents.
In addition to the penalty, OHSU has signed a HIPAA resolution agreement and will participate in a comprehensive three-year corrective action plan with the HHS Office for Civil Rights. OHSU did not admit liability. A copy of the resolution agreement and corrective action plan can be found at this link: http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/ohsu/index.html
OCR is stepping up its attention to business associate agreements. Health care organizations must establish, maintain and monitor a comprehensive vendor management program with due diligence on potential business associates in advance and during the contract term.