St. Joseph Health Settle HIPAA Case with $2.14 Million Payment to OCR

by | Oct 20, 2016

St. Joseph Health (SJH) has agreed, with the Department of Health and Human Services’ Office for Civil Rights, to settle potential violations of the HIPAA Privacy and Security Rules for the sum of $2.14 million.

SJH is required to pay the figure to OCR and adopt a corrective action plan (CAP) to bring policies and procedures in adherence to the standard demanded by HIPAA.

SJH is a not-for-profit integrated Catholic health care delivery system which is funded by the St. Joseph Health Ministry. The body provides a wide variety of medical services throughout California, New Mexico and Texas though 14 acute care hospitals and numerous community clinics, skilled nursing facilities, and home health agencies.

SJH was reviewed following an ePHI breach made known to OCR on February 14, 2012. Files that contained ePHI were created by SJH under the Meaningful Use Program; however, those files were left without adequate protection and accessible on the Internet for over a year from February 1, 2011 to February 13, 2012. The PDF files had been indexed by Google – and possibly other search engines. During that time the ePHI of 31,800 people were exposed.

The exposure of ePHI happened due to the failure of SJH to conduct a thorough risk analysis and a security assessment on a server before using it to share files containing ePHI. The server had been bought and a file sharing application installed, yet no alterations were made to the application. The default security settings were not changed, which allowed any person with an Internet connection to gain access to the ePHI in the relevant files.

SJH had hired contractors to review risks and identify dangers to security that could potentially be exploited to gain access to ePHI, but OCR investigators ruled those assessments were “conducted in a patchwork fashion and did not result in an enterprise-wide risk analysis,” which violated the HIPAA Security Rule.

Announcing the settlement publicly, OCR Director Jocelyn Samuels stated “Entities must not only conduct a comprehensive risk analysis, but must also evaluate and address potential security risks when implementing enterprise changes impacting ePHI”. She added “The HIPAA Security Rule’s specific requirements to address environmental and operational changes are critical for the protection of patient information.”

2016 has been a record-breaking year for HIPAA settlements. So far, OCR has agreed 12 settlements with covered entities in 2016, with payments of more than $22,855,000 to OCR to resolve potential HIPAA violations found during data breach reviews.

As Samuels outlined in a recent blog post, ”We hope that our resolution agreements will provide a template for other health care entities to take the proactive steps necessary to ensure compliance with HIPAA requirements.”

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy