Globalquest Solutions

OHSU Pays Millions in HIPAA Security Violation Settlement

Globalquest Solutions
OHSU

Oregon Health and Science University (OHSU) is a highly-ranked public university in Portland, Oregon. On March 23, 2013, as a covered entity under HIPAA, the university had to assign itself a failing grade in protecting electronic personal health information (ePHI) in its custody.

Multiple ePHI breaches

OHSU reported multiple breaches to the U.S. Department of Health and Human Services Office for Civil Rights (OCR). The reports disclosed the following:

  • An OHSU surgeon took his laptop to a Hawaii vacation rental. The laptop was not encrypted. Someone stole the computer along with information on 4,022 patients.
  • New physicians in OHSU’s residency program used a cloud storage device to maintain information on 3,044 patients in the plastic surgery, urology, and kidney transplant programs.

No business associate contract

When OCR investigators dug further, they uncovered “widespread vulnerabilities” in OHSU’s HIPAA compliance. Included was OHSU’s failure to execute a business associate contract with the residents’ online storage provider.

Sensitive patient data compromised

OCR investigators identified a “significant risk of harm” to 1,361 of the 3,044 individuals whose data was posted online, by virtue of the “extremely sensitive nature” of their diagnoses and illnesses.

Breaches occurred despite multiple risk analyses

The HIPAA Security Rule (45 C.F.R., 164-302) requires covered entities to perform a risk analysis, and the OCR publishes periodic guidance. In its investigation, OCR found that OHSU did risk analyses from 2003 through 2013, but failed to include all records under OSHU’s custody. Moreover, OCR found, that OHSU identified risks and vulnerabilities and actually documented them. Unfortunately, OSHU took no follow-up action, particularly at the management level.

Here’s how July 18, 2016, HHS new release put it:

OHSU also lacked policies and procedures to prevent, detect, contain, and correct security violations and failed to implement a mechanism to encrypt and decrypt ePHI or an equivalent alternative measure for ePHI maintained on its workstations, despite having identified this lack of encryption as a risk.

Nearly 3 million reasons to be HIPAA compliant

The cost to OHSU was a monetary settlement–they don’t call it a fine, but it is, really–of $2.7 million. Along with the settlement, OHSU must implement a comprehensive three-year corrective action plan (CAP)–which, not coincidentally is just about everything the HIPAA Security Rule requires covered entities to follow.

The OHSU CAP

Under the agreement, OSHU must:

1. Do an accurate and thorough assessment of the risks and vulnerabilities to their data and include their facilities located outside of Portland, Oregon. Including everything–systems, networks, and devices–that handle ePHI.

2. Develop a risk management plan that is comprehensive and:

  • explains OHSU’s ongoing strategy to enforce security measures, which are realistically based on OHSU’s circumstances
  • includes a comprehensive, organization-wide plan to ensure supervision and oversight of the OHSU staff in HIPAA-related measures
  • provides timelines and expected completion dates for implementing the risk management plan

3. Tighten its mobile device management program by inventorying, encrypting, and controlling all OHSU-owned as well as personally-owned mobile devices. Enforce and prohibit restrictions on the transfer of ePHI to personally-owned and unencrypted removable storage devices.

4. Develop a security awareness and training program for everyone in the OHSU community. The program must include awareness of privacy and security related to:

  • using internet-based storage services
  • disclosures to third parties and the need for business associate agreements
  • training managers ineffective supervision of their workforce in disclosures of personal health information
  • how to report a security incident or a data breach
  • how to manage passwords

OHSU has 90 days to provide the documented training materials for HHS review and approval.

Want to save millions?

Globalquest Solutions is the trusted choice when it comes to staying ahead of the latest HIPAA developments, information technology tips, tricks, and news. Contact us at 716-601-3524 or send us an email at info@globalquestinc.com for more information.

Subscribe to the Globalquest Blog

Latest Blogs

WE CAN HELP

We’re ready to help you see how the right IT solutions can transform your business.

We’re ready to help you see how the right IT solutions can transform your business. Contact Globalquest Solutions today to learn more about what we can do to help you pursue your goals.

Call us at (716) 601-3524 or send an email to info@globalquestinc.com

Book your complimentary consultation today

GlobalQuest will never sell or rent your contact information. Your info is secure with us.