St. Joseph Health Settle HIPAA Case with $2.14 Million Payment to OCR

St. Joseph Health (SJH) has agreed, with the Department of Health and Human Services’ Office for Civil Rights, to settle potential violations of the HIPAA Privacy and Security Rules for the sum of $2.14 million.

SJH is required to pay the figure to OCR and adopt a corrective action plan (CAP) to bring policies and procedures in adherence to the standard demanded by HIPAA.

SJH is a not-for-profit integrated Catholic health care delivery system which is funded by the St. Joseph Health Ministry. The body provides a wide variety of medical services throughout California, New Mexico and Texas though 14 acute care hospitals and numerous community clinics, skilled nursing facilities, and home health agencies.

SJH was reviewed following an ePHI breach made known to OCR on February 14, 2012. Files that contained ePHI were created by SJH under the Meaningful Use Program; however, those files were left without adequate protection and accessible on the Internet for over a year from February 1, 2011 to February 13, 2012. The PDF files had been indexed by Google – and possibly other search engines. During that time the ePHI of 31,800 people were exposed.

The exposure of ePHI happened due to the failure of SJH to conduct a thorough risk analysis and a security assessment on a server before using it to share files containing ePHI. The server had been bought and a file sharing application installed, yet no alterations were made to the application. The default security settings were not changed, which allowed any person with an Internet connection to gain access to the ePHI in the relevant files.

SJH had hired contractors to review risks and identify dangers to security that could potentially be exploited to gain access to ePHI, but OCR investigators ruled those assessments were “conducted in a patchwork fashion and did not result in an enterprise-wide risk analysis,” which violated the HIPAA Security Rule.

Announcing the settlement publicly, OCR Director Jocelyn Samuels stated “Entities must not only conduct a comprehensive risk analysis, but must also evaluate and address potential security risks when implementing enterprise changes impacting ePHI”. She added “The HIPAA Security Rule’s specific requirements to address environmental and operational changes are critical for the protection of patient information.”

2016 has been a record-breaking year for HIPAA settlements. So far, OCR has agreed 12 settlements with covered entities in 2016, with payments of more than $22,855,000 to OCR to resolve potential HIPAA violations found during data breach reviews.

As Samuels outlined in a recent blog post, ”We hope that our resolution agreements will provide a template for other health care entities to take the proactive steps necessary to ensure compliance with HIPAA requirements.”