Failure to Manage Security Risk Lead to $2.14 Million HIPAA Settlement
Imagine your organization potentially discloses electronic protected health information (ePHI) of thousands of individuals.
Do you have safeguards in place to reduce or prevent the risk of compromise to patients’ health information?
The Office for Civil Rights (OCR) announced St. Joseph Health agreed to settlement in the amount of $2,140,500 and adopt a comprehensive corrective action plan to settle potential violations of HIPAA Privacy and Security Rules:
- St. Joseph Health reported that files containing ePHI were publicly accessible through internet search engines from 2011 until 2012.
- From February 1, 2011 to February 13, 2012 PHI of 31,800 individuals was potentially disclosed.
- Evidence indicated that St. Joseph Health failed to conduct an evaluation in response to the environmental and operational changes presented by implementation of a new server for its meaningful use project, thereby compromising the security of ePHI.
- Although SJH hired a number of contractors to assess the risks and vulnerabilities to the confidentiality, integrity and availability of ePHI held by SJH, evidence indicated that this was conducted in a patchwork fashion and did not result in an enterprise-wide risk analysis, as required by the HIPAA Security Rule.
As part of their corrective action plan St. Joseph Health is required to conduct an enterprise-wide risk analysis, develop and implement a risk management plan, revise its policies and procedures, and train its staff on these policies and procedures.