Failure Under HIPAA Security Rule Costs $2.14 Million

On October 18, 2016, the Department of Health and Human Services, Office of Civil Rights (“OCR”) announced a $2.14 million settlement with St. Joseph Health (“St. Joseph”), a non-profit integrated Catholic healthcare delivery system in California, Texas, and New Mexico. Between February 2011 and February 2012, St. Joseph inadvertently made publicly accessible via the internet the electronic protected health information (“ePHI”) of 31,800 individuals in violation of Health Insurance Portability and Accountability Act, as amended, and its implementing regulations (“HIPAA”).

The ePHI Exposed. As part of St. Joseph’s participation in a meaningful use program, St. Joseph created PDF files containing combinations of the following ePHI (“Files”):

  • patient names
  • diagnoses lists
  • lab results
  • medication allergies
  • blood pressure
  • BMI
  • smoking status
  • advance directive status
  • demographic information (language, ethnicity, race, sex, and birth date)

The Files contained no Social Security Numbers or financial data. St. Joseph stored the Files on a network server. Also stored on this server was a file-sharing application. This application’s default settings permitted anyone to access the documents on the server via the internet. OCR has not stated whether this ePHI was actually accessed by any third party.

The HIPAA Concern. The server configuration constituted an environmental or operational change that affected the security of ePHI stored on the server. The HIPAA Security Rule requires that a technical and non-technical evaluation be performed whenever there is an environment or operational change that could impact the security of an organization’s ePHI. St. Joseph failed to perform such an evaluation between July 1, 2010 and July 10, 2012. OCR’s investigation also revealed that St. Joseph failed to conduct an accurate, thorough enterprise-wide analysis of potential risks and vulnerabilities between July 1, 2010, and the present.

The Corrective Action Plan. In addition to paying OCR $2.14 million, St. Joseph must participate in a multi-year corrective action plan that subjects St. Joseph’s HIPAA compliance to close scrutiny by OCR. The St. Joseph settlement highlights the importance of an active HIPAA compliance program, including when an organization incorporates new technology. This is especially true as OCR is currently conducting HIPAA Phase 2 Audits.

Action Steps for Covered Entities and Business Associates:

  • Perform a risk assessment if one has not been performed recently
  • Take steps to address risks and vulnerabilities identified by the risk assessment
  • Update HIPAA policies and procedures to (1) address all ways that PHI is being used and maintained and (2) trigger the performance of evaluations when required by the HIPAA Security Rule
  • Train employees on HIPAA policies and procedures annually.

 

Sherman & Howard L.L.C. has prepared this advisory to provide general information on recent legal developments that may be of interest. This advisory does not provide legal advice for any specific situation and does not create an attorney-client relationship between any reader and the Firm.

©2016 Sherman & Howard L.L.C.                                                                                   October 20, 2016