OCR Reaches $2M HIPAA Settlement with Calif. Healthcare System

The settlement comes after the healthcare system self-reported the potential disclosure of 31,800 people’s protected health information.

St. Joseph Health agreed to pay $2.14 million to settle potential violations of the Health Insurance Portability and Accountability Act.

The settlement follows St. Joseph’s report that electronic protected health information was publicly accessible through internet search engines, including Google, from 2011 to 2012. The possible violation occurred when a new server was put in use that included a file sharing application whose default settings allowed anyone with an internet connection to access its files.

The Office for Civil Rights faulted St. Joseph for failing to examine or modify the server despite the fact that officials knew it contained the ePHI of 31,800 people.

St. Joseph’s potential HIPAA violations are listed below:

  • Between Feb.1, 2011 and Feb. 13, 2012, SJH potentially disclosed the PHI of 31,800 individuals.
  • SJH may have failed to “conduct an evaluation in response to the environmental and operational changes presented by implementation of a new server for its meaningful use project.
  • Although SJH hired contractors “to assess the risks and vulnerabilities to the confidentiality, integrity and availability of ePHI held by SJH, evidence indicated that this was conducted in a patchwork fashion and did not result in an enterprise-wide risk analysis, as required by the HIPAA Security Rule.”

OCR Director Jocelyn Samuels clarified that under the Security Rule, “entities must not only conduct a comprehensive risk analysis, but must also evaluate and address potential security risks when implementing enterprise changes impacting ePHI.”

As part of the agreement, SJH will conduct a risk analysis, develop and implement a risk management plan, revise its policies and procedures, and train its staff on these policies and procedures.

St. Joseph Health is a non-profit integrated Catholic health care delivery system sponsored by the St. Joseph Health Ministry. SJH includes 14 acute care hospitals, home health agencies, hospice care, outpatient services, skilled nursing facilities, community clinics and physician organizations in California, New Mexico and Texas.

Read the full resolution agreement and corrective action plan here.

Read Next: OCR Sends Message to Healthcare Industry with 2 HIPAA Settlements

Read More Articles Like This… With A FREE Subscription

Campus Safety magazine is another great resource for public safety, security and emergency management professionals. It covers all aspects of campus safety, including access control, video surveillance, mass notification and security staff practices. Whether you work in K-12, higher ed, a hospital or corporation, Campus Safety magazine is here to help you do your job better!

Get your free subscription today!


Get Our Newsletters
Campus Safety Online Summit On-Demand Campus Safety HQ