$2.7 Million HIPAA Penalty for Two Smaller BreachesOregon Health & Science University Agrees to Three-Year Corrective Action Plan
(This story has been updated.)
In the wake of two 2013 breaches that affected a total of 7,066 individuals, Oregon Health & Science University says it will pay $2.7 million in a HIPAA settlement with federal regulators that includes a three-year corrective action plan.
The resolution agreement with OHSU is the Department of Health and Human Services' Office for Civil Rights' eighth HIPAA settlement so far this year and the 35th since 2008.
In a July 13 statement, OHSU says it signed a resolution agreement with OCR following the HIPAA-enforcement agency's investigation into the two breaches.
The first incident, which impacted 4,022 individuals, involved an unencrypted laptop that was stolen from a surgeon's vacation rental home in Hawaii in February 2013 (see Stolen Laptops Lead Breach Roundup).
The second 2013 breach, which affected 3,044 individuals, involved OHSU's use of a cloud-based storage service without a business associate agreement, OHSU says.
That breach - which was actually two related incidents - involved physicians-in-training from two OHSU medical departments inappropriately posting unencrypted spreadsheets of patient information using cloud-based email and document storage services from Google. OHSU did not have a business associate agreement with Google (see HIPAA Breaches in the Cloud).
A statement issued by OHSU at the time of the breach noted that although Google Drive and Google Mail are password-protected and have security measures and policies in place to protect information, Google "is not an OHSU business associate with a contractual agreement to use or store OHSU patient health information."
'Insufficient' Risk Management Practices
In a July 18 statement, OCR says its investigation found that while OHSU performed risk analyses in 2003, 2005, 2006, 2008, 2010 and 2013, those studies did not cover all ePHI enterprisewide. OCR also alleges that OHSU failed to act in a timely manner to implement reasonable measures to address the risks it documented. OHSU also lacked policies and procedures to prevent, detect, contain and correct security violations and failed to implement a mechanism to encrypt ePHI - or take an equivalent alternative measure - on its workstations, OCR alleges
"From well-publicized large scale breaches and findings in their own risk analyses, OHSU had every opportunity to address security management processes that were insufficient. Furthermore, OHSU should have addressed the lack of a business associate agreement before allowing a vendor to store ePHI," OCR Director Jocelyn Samuels said. "This settlement underscores the importance of leadership engagement and why it is so critical for the C-suite to take HIPAA compliance seriously."
Commenting on the settlement, privacy and security expert Kate Borten, founder of consulting firm The Marblehead Group notes: "The lessons are the same as ever: A mature, robust information security program is what's needed to protect PHI and all other information assets," says privacy and security expert Kate Borten, founder of consulting firm The Marblehead Group.
Privacy attorney Kirk Nahra of the law firm Wiley Rein says he suspects the substantial financial penalty for the relatively small breaches likely reflected the fact that OHSU had also previously reported other breaches to OCR. That includes a 2012 incident involving the theft of an unencrypted USB drive containing PHI of 14,000 pediatric patients from the home of a OHSU hospital employee
"I presume that the history here mattered more than the volume" of individuals affected by the breaches at the center of the OHSU resolution agreement," Nahra says.
The OHSU resolution agreement with OCR also includes "a rigorous three-year corrective action plan," the organization says.
As part of the corrective action plan, OHSU must:
- Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to ePHI held at all OHSU facilities and all systems, networks and devices that create, receive, maintain, or transmit ePHI;
- Develop a comprehensive risk management plan that explains OHSU's strategy for implementing security measures sufficient to reduce the risks and vulnerabilities identified in the risk analysis, outline a timeline for all planned remediation action, and identify compensating controls that will be in place in the interim to safeguard OHSU's ePHI;
- Provide an update to HHS regarding OHSU's encryption status, including implementation of a mobile device management solution to ensure all OHSU-owned and personally owned mobile devices that access ePHI on OHSU's secure network are encrypted;
- Provide OHSU's workforce with security awareness training, including communication to all members of the OHSU community describing its commitment to enterprise encryption.
"We made significant data security enhancements at the time of the incidents and now are investing at an unprecedented level in proactive measures to further safeguard patient information," says Bridget Barnes, OHSU's CIO.
"In the coming weeks, OHSU will engage an external information security consultant and convene a multidisciplinary steering committee from across the university to help us meet the requirements of the corrective action plan," she says. "Over the next few months and beyond, OHSU integrity and information security experts will work with the consultant and our steering committee to identify patient information security risks or vulnerabilities, and make regular reports to OCR, and implement any necessary mitigation strategies."
While patients and healthcare providers benefit significantly from access to electronic health records and emails from various devices and locations, the access comes with new security challenges, Barnes says. "In the face of these challenges, OHSU is proactively working to ensure the creation of a sustainable gold standard for protected health information security and HIPAA compliance."
OHSU declined an Information Security Media Group request for additional comment on the OCR settlement and corrective action plan.
So far in 2016, two other HIPAA settlements also focused on the absence of business associate agreements. Those include a $1.55 million settlement in March with North Memorial Health Care and a $750,000 settlement in April with Raleigh Orthopaedic Clinic, P.A. of North Carolina.
Also, since 2008, OCR has issued several resolution agreements with covered entities related to breach investigations stemming from the theft or loss of unencrypted mobile computing devices and storage media.
One of the largest such settlements was a $1.7 million OCR resolution agreement with Alaska Department of Health and Human Services in 2012 over a 2009 breach involving a stolen USB drive containing protected health information of only 501 people.
Alaska DHHS was also cited for a list of other security shortcomings uncovered by OCR during its breach investigation at the state agency, including the lack of a comprehensive risk analysis.
The announcement of the settlement between OHSU and OCR came near the end of a busy week of activity at OCR.
That includes OCR issuing new ransomware guidance, as well the agency announcing that 167 covered entities have been notified of being chosen for desk audits in phase two of OCR's HIPAA compliance audit program (see Organizations Facing HIPAA Audits Notified).
But despite all the recent OCR actions, "I see this activity as mainly a coincidence, not more than that," Nahra says.
But Borten says there could potentially be other factors driving the flurry of recent OCR activity. "Every new [presidential] administration, even of the same party, has its own agenda and priorities," she notes. "There's no guarantee that the current HHS leaders and their goals will continue into the next administration."