University Health Center Smacked With $875,000 HIPAA FineHIPAA Settlement Is Regulatory Agency's Largest So Far This Year
Federal regulators this week hit Oklahoma State University's Center for Health Sciences with a hefty fine and corrective action plan as part of a HIPAA settlement for the breach of patient health information affecting nearly 280,000 people. The breach had gone unreported for months.
See Also: The Compromised Identity in Healthcare
The Department of Health and Human Services' Office for Civil Rights in a statement Thursday said OSU-CHS agreed to pay a $875,000 financial settlement and implement a series of corrective actions to resolve potential HIPAA violations related to patient privacy. The settlement closed the agency's investigation into the hacking incident reported by the Stillwater, Oklahoma-based research university in January 2018.
HHS OCR's settlement with OSU-CHS is the agency's fifth - and largest - HIPAA enforcement action so far in 2022.
The agency on Friday announced settlements with 11 other medicals centers, a nursing home and doctors, with fines ranging from $3,500 to $240,000.
HHS OCR says that OSU-CHS initially reported that the breach occurred on Nov. 7, 2017, when an unauthorized third party gained access to an OSU-CHS web server by uploading malware.
But OSU-CHS later reported that electronic protected health information was first impermissibly disclosed about 20 months earlier in March 2016.
The agency found that some workers stored folders on the web server that contained patient information, including "names, Medicaid numbers, healthcare provider names, dates of service, dates of birth, addresses and treatment information," but the provider said it was unaware of the practice.
OSU-CHS, which provides preventive, rehabilitative and diagnostic care in Oklahoma, did not immediately respond to Information Security Media Group's request for comment.
OCR's investigation into the OSU-CHS breach found potential violations of the HIPAA rules, including:
- Impermissible uses and disclosures of protected health information;
- Failure to conduct an accurate and thorough risk analysis;
- Failure to perform an evaluation;
- Failures to implement audit controls, security incident response and reporting;
- Failure to provide timely breach notification to affected individuals and HHS.
"HIPAA-covered entities are vulnerable to cyberattackers if they fail to understand where ePHI is stored in their information systems," says Lisa Pino, HHS OCR director, in a statement. "Effective cybersecurity starts with an accurate and thorough risk analysis and implementing all of the security rule requirements."
Corrective Action Plan
Under a corrective action plan, OSU-CHS agreed to:
- Conduct a comprehensive, enterprise-wide risk analysis and mitigate security threats and vulnerabilities identified;
- Develop, maintain and revise written policies and procedures to comply with regulations of the HIPAA privacy, security and breach notification rules;
- Distribute those policies to the workforce and provide related training to employees who have access to PHI.
OSU-CHS also must designate an individual or entity to monitor its compliance with the plan for two years.
Some experts note that other covered entities and business associates should learn from HHS OCR's investigation into the OSU-CHS breach.
For instance, an annual risk analysis addressing technical, administrative and physical safeguards is the first line of defense against cybersecurity attacks, says regulatory attorney Rachel Rose. "Additionally, it is imperative that adequate software is in place, penetration tests are conducted and training is updated," she says.
Privacy attorney David Holtzman of the consulting firm HITprivacy, offers a similar viewpoint.
"Almost every OCR enforcement action involving a breach of PHI can be traced back to the HIPAA-covered entity or business associate failing to implement a risk management plan that includes continuous assessment and response to constantly evolving threats and vulnerabilities," he says.
The investigation of the OSU breach found multiple instances of intruders infiltrating the information system over years, indicating that the incidents "apparently went undiscovered or unreported," he says.
The HIPAA Security Rule requires covered entities and business associates to implement technical safeguards for monitoring access and alerting organizations to inappropriate activity and identifying potential threats in the network.
"The OSU settlement is another example showing the risk when organizations do not invest in technologies that perform information system-activity audit and review," Holtzman says.
The size of the OSU-CHS settlement, along with the scope and breadth of the corrective action plan, reflects OCR's findings of the systemic failure to implement a risk-based information security program, Holtzman adds.
"The lack of policies and procedures for safeguards to protect the financial and health information of consumers, combined with a failure to perform information security risk assessments or mitigate vulnerabilities that would have been discovered, left the information system open to attack," he says.
Prior Enforcement Actions
In March, HHS OCR disclosed it had taken actions against four small covered entities, including three settlements ranging from $28,000 to $62,550 and one $50,000 civil monetary penalty in an impermissible PHI disclosure incident (see: HHS OCR Issues 4 HIPAA Enforcement Actions).
The three settlements included two cases involving patient right of access disputes. But the most egregious case settled at the time involved an Alabama dental practice that allegedly disclosed patient PHI with third parties for use in the owner's unsuccessful campaign for state Senate.