Federal Government Continues High Level Prioritization on HIPAA Violations and Making Examples of Violators.
The United States Department of Health and Human Services, Office for Civil Rights (“HHS”), which enforces the Federal standards that govern the privacy of individually identifiable health information has concluded an action against St. Joseph Health (“SJH”), based on HIPAA violations that resulted in a $2.14 million settlement. The government’s announcement stated, in part, : “St. Joseph Health (SJH) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules following the report that files containing electronic protected health information (ePHI) were publicly accessible through internet search engines from 2011 until 2012”. This violation was self-reported by SJH to HHS in February 2012 and has been under investigation, and in settlement discussions, of most of the intervening time.
OCR’s investigation indicated the following potential violations of the HIPAA Rules:
- From February 1, 2011 to February 13, 2012, SJH potentially disclosed the PHI of 31,800 individuals;
- Evidence indicated that SJH failed to conduct an evaluation in response to the environmental and operational changes presented by implementation of a new server for its meaningful use project, thereby compromising the security of ePHI;
- Although SJH hired a number of contractors to assess the risks and vulnerabilities to the confidentiality, integrity and availability of ePHI held by SJH, evidence indicated that this was conducted in a patchwork fashion and did not result in an enterprise-wide risk analysis, as required by the HIPAA Security Rule.
“Entities must not only conduct a comprehensive risk analysis, but must also evaluate and address potential security risks when implementing enterprise changes impacting ePHI,” said OCR Director Jocelyn Samuels. “The HIPAA Security Rule’s specific requirements to address environmental and operational changes are critical for the protection of patient information.
In addition to the $2,140,500 settlement, SJH has agreed to a corrective action plan that requires the organization to conduct an enterprise-wide risk analysis, develop and implement a risk management plan, revise its policies and procedures, and train its staff on these policies and procedures. The Resolution Agreement and Corrective Action Plan may be found on the OCR website at http://www.hhs.gov.”
The need to properly plan for issues on ePHI protection, to investigate any and all potential violations or incursions and to take full and prompt remedial action is part and parcel of the responsibility of every health care organization that obtains and maintains ePHI. Marcum has been active in the issues of protecting this information and in assisting those who hold ePHI in verifying the proper protection is in place, and in reacting to alleged or actual breeches of security.