OCR Reaches $2M HIPAA Settlement with Calif. Healthcare System

The settlement comes after the healthcare system self-reported the potential disclosure of 31,800 people's protected health information.
Published: October 20, 2016

St. Joseph Health agreed to pay $2.14 million to settle potential violations of the Health Insurance Portability and Accountability Act.

The settlement follows St. Joseph’s report that electronic protected health information was publicly accessible through internet search engines, including Google, from 2011 to 2012. The possible violation occurred when a new server was put in use that included a file sharing application whose default settings allowed anyone with an internet connection to access its files.

The Office for Civil Rights faulted St. Joseph for failing to examine or modify the server despite the fact that officials knew it contained the ePHI of 31,800 people.

St. Joseph’s potential HIPAA violations are listed below:

——Article Continues Below——

Get the latest industry news and research delivered directly to your inbox.
  • Between Feb.1, 2011 and Feb. 13, 2012, SJH potentially disclosed the PHI of 31,800 individuals.
  • SJH may have failed to “conduct an evaluation in response to the environmental and operational changes presented by implementation of a new server for its meaningful use project.
  • Although SJH hired contractors “to assess the risks and vulnerabilities to the confidentiality, integrity and availability of ePHI held by SJH, evidence indicated that this was conducted in a patchwork fashion and did not result in an enterprise-wide risk analysis, as required by the HIPAA Security Rule.”

OCR Director Jocelyn Samuels clarified that under the Security Rule, “entities must not only conduct a comprehensive risk analysis, but must also evaluate and address potential security risks when implementing enterprise changes impacting ePHI.”

As part of the agreement, SJH will conduct a risk analysis, develop and implement a risk management plan, revise its policies and procedures, and train its staff on these policies and procedures.

St. Joseph Health is a non-profit integrated Catholic health care delivery system sponsored by the St. Joseph Health Ministry. SJH includes 14 acute care hospitals, home health agencies, hospice care, outpatient services, skilled nursing facilities, community clinics and physician organizations in California, New Mexico and Texas.

Read the full resolution agreement and corrective action plan here.

Read Next: OCR Sends Message to Healthcare Industry with 2 HIPAA Settlements

ADVERTISEMENT
Strategy & Planning Series
Strategy & Planning Series
Strategy & Planning Series
Strategy & Planning Series
Strategy & Planning Series