Oregon Health and Science University (OHSU) is a highly ranked public university in Portland, Oregon. On March 23, 2013, as acovered entity under HIPAA, the university had to assign itself a failing grade in protecting electronic personal health information (ePHI) in its custody.
Multiple ePHI breaches
OHSU reported multiple breaches to the U.S. Department of Health and Human Services Office for Civil Rights (OCR). The reports disclosed the following:
No business associate contract
When OCR investigators dug further, they uncovered “widespread vulnerabilities” in OHSU’s HIPAA compliance. Included was OHSU’s failure to execute a business associate contract with the residents’ online storage provider.
Sensitive patient data compromised
OCR investigators identified a “significant risk of harm” to 1,361 of the 3,044 individuals whose data was posted on line, by virtue of the “extremely sensitive nature” of their diagnoses and illnesses.
Breaches occurred despite multiple risk analyses
The HIPAA Security Rule (45 C.F.R., 164-302) requires covered entities to perform risk analysis, and the OCR publishes periodicguidance. In its investigation, OCR found that OHSU did risk analyses from 2003 through 2013, but failed to include all records under OSHU’s custody. Moreover, OCR found, OHSU identified risks and vulnerabilities and actually documented them. Unfortunately, OSHU took no follow up action, particularly at the management level.
Here’s how the July 18, 2016, HHS new release put it:
OHSU also lacked policies and procedures to prevent, detect, contain, and correct security violations and failed to implement a mechanism to encrypt and decrypt ePHI or an equivalent alternative measure for ePHI maintained on its workstations, despite having identified this lack of encryption as a risk.
Nearly 3 million reasons to be HIPAA compliant
The cost to OHSU was a monetary settlement–they don’t call it a fine, but it is, really–of $2.7 million. Along with the settlement, OHSU must implement a comprehensive three-year corrective action plan (CAP)–which, not coincidentally is just about everything the HIPAA Security Rule requires covered entities to follow.
The OHSU CAP
Under the agreement OSHU must:
1. Do an accurate and thorough assessment of the risks and vulnerabilities to their data and include their facilities located outside of Portland, Oregon. Including everything–systems, networks, and devices–that handle ePHI.
2. Develop a risk management plan that is comprehensive and:
3. Tighten its mobile device management program by inventorying, encrypting and controlling all OHSU-owned as well as personally-owned mobile devices. Enforce and prohibit restrictions on the transfer of ePHI to personally-owned and unencrypted removable storage devices.
4. Develop a security awareness and training program for everyone in the OHSU community. The program must include awareness of privacy and security related to:
OHSU has 90 days to provide the documented training materials for HHS review and approval.
Want to save millions?
Globalquest Solutions is the trusted choice when it comes to staying ahead of the latest HIPAA developments, information technology tips, tricks, and news. Contact us at 716-601-3524 or send us an email at email@example.com for more information.