Featured Health Business Daily Story, Nov. 10, 2016

New OCR Settlement Has Old Ring: Simple Security Slips Now Trigger Millions in Fines

Reprinted from REPORT ON PATIENT PRIVACY, the industry's #1 source of timely news and business strategies for safeguarding patient privacy and data security.

November 2016Volume 16Issue 11

In 2011, Idaho State University (ISU) discovered that a contractor forgot to reactivate a firewall at one of its medical practices, potentially exposing the protected health information (PHI) of some 17,000 patients over a nine-month period. Two years after reporting the breach to the HHS Office for Civil Rights, ISU paid OCR $400,000 and agreed to a two-year corrective action plan (CAP) that called for an updated risk analysis (RPP 6/13, p. 1).

In 2012, St. Joseph Health System of Irvine, Calif., also realized that a network server was improperly configured, making the PHI of about twice the number of patients at issue for ISU searchable online. It, too, alerted OCR, affected patients and the media (RPP 3/12, p. 12). Four years later, on Oct. 13, St. Joseph also signed off on a CAP that requires a risk analysis –– but it paid OCR five times ISU’s settlement amount.

St. Joseph’s $2.14 million agreement is OCR’s 12th so far this year and brings its total financial penalties collected in 2016 to a record $22.84 million. In both this instance and with ISU, the organizations expressed confidence that none of the PHI was misused. But that matters little to OCR, as the agency has made clear time and again. This latest settlement also shows how even small mistakes are now costing covered entities millions.

The exposed data related to patients seen at five of St. Joseph’s 14 acute care hospitals in the system, which also provides care in Texas and New Mexico. St. Joseph officials were analyzing data for meaningful use certifications for its electronic medical records system.

Report on Patient Privacy

Breaches Can Be Very Costly

Following the settlement, the system expressed satisfaction at the end of the investigation and remorse for what had happened. It also gave a little insight into how much more the breach had cost it than the payment to OCR alone and any amounts it paid in credit monitoring and other services.

“St. Joseph Health is pleased that we could come to a settlement on this issue and we deeply regret any undue concern to our patients. The facts to remember about this case are that data did not include Social Security, addresses or financial data. Additionally, there is no indication that the information was used by unauthorized persons,” according to a statement provided to RPP. “Since the situation was discovered, we have invested in a number of initiatives to ensure the continued security of patient data, including $17 million in enhanced data security infrastructure. These measures and more are intended to provide for the safety and security of our patients’ information.”

At the time of the breach, St. Joseph said the PHI “had been contained in files that were intended to be maintained securely and used only by the hospitals. However, security settings were incorrect and allowed for the potential of data disclosure. Since discovering this situation, files have been secured within the hospital’s system and the hospital’s teams are working to eliminate residual or archived information from the Internet.”

But the $2.14 million to OCR and the $17 million in investments (plus the unknown costs of breach notification, related activities and legal fees) still don’t tell the whole tale. In September 2015, St. Joseph Health settled a class action suit stemming from the breach and contributed $7.5 million to a fund to reimburse affected individuals, and this February the Orange County Superior Court also awarded attorneys $7.45 million, to be paid by St. Joseph Health, which did not admit to any wrongdoing. A patient who discovered her PHI online in January 2012 and brought it to St. Joseph’s attention received $15,000.

OCR officials said they had “evidence” that show St. Joseph “failed to conduct an evaluation in response to the environmental and operational changes presented by implementation of a new server for its meaningful use project, thereby compromising the security [of electronic PHI (ePHI) and that despite hiring] a number of contractors to assess the risks and vulnerabilities to the confidentiality, integrity and availability of ePHI.…Evidence indicated that this was conducted in a patchwork fashion and did not result in an enterprise-wide risk analysis, as required by the HIPAA Security Rule.”

As could be expected, the CAP requires St. Joseph to “conduct an enterprise-wide risk analysis, develop and implement a risk management plan, revise its policies and procedures, and train its staff on these policies and procedures.”

Specifically, OCR is giving St. Joseph, from the date of the settlement:

  • 240 days to “provide HHS an accurate and thorough enterprise-wide risk analysis of security risks and vulnerabilities that incorporates all electronic equipment, data systems, and applications controlled, administered, or owned by SJH, its workforce members, and affiliated staff that contains, stores, transmits, or receives electronic protected health information (ePHI) for review.” As part of this, St. Joseph must also “develop a complete inventory of all electronic equipment, data systems, and applications that contain or store ePHI, which will be incorporated in its risk analysis.”

  • 60 days to provide “an organization-wide risk management plan to address and mitigate any security risks and vulnerabilities identified in the risk analysis” once OCR has approved the analysis.

  • 30 days to “finalize and officially adopt the risk management plan in accordance with its applicable administrative procedures,” following OCR approval of the risk management plan. After this, St. Joseph “shall immediately thereafter begin implementation of the risk management plan and shall distribute the plan to workforce members involved with implementation of the plan.”

  • 60 days following OCR approval of the risk management plan to revise its policies and procedures to comply with 45 CFR 164.502(a), which is allowable uses and disclosures, and submit them to OCR.

  • 60 days after OCR signs off on St. Joseph’s training materials to “provide training to all appropriate workforce members.” This must be repeatedly yearly.

Visit http://tinyurl.com/hetmcch for terms of the settlement.

© 2016 by Atlantic Information Services, Inc. All Rights Reserved.

Read practical news and strategies for safeguarding patient privacy and data security each month with your own subscription to Report on Patient Privacy. Get more information and subscribe today at the AIS Marketplace!

It's quick and easy to sign up for FREE access to AISHealth.com!

Why do I need to register?