The Division of Health and Human Services’ OCR has declared it has decided to resolve possible breaches of the HIPAA Security and Privacy Laws with St. Joseph Health (SJH). St. Joseph Health has to pay $2,140.50 to OCR and implement a corrective action plan (CAP) to bring procedures and policies up to the standard required by HIPAA.
St. Joseph Health is a not-for-profit cohesive Catholic health care distribution method backed by the St. Joseph Health Ministry. SJH offers a wide variety of medical services all over New Mexico, California, and Texas through 14 critical care hospitals and many skilled nursing facilities, community clinics, and home health organizations.
SJH was probed after an ePHI break informed to OCR on February 14, 2012. Files having ePHI were generated by SJH as per the Meaningful Use Program; nevertheless, those records were abandoned undefended and available on the Internet for over one year from February 1, 2011, to February 13, 2012. The PDF records had been registered by Google – and possibly additional search engines. Throughout that time the ePHI of 31,800 persons was revealed.
The revelation of ePHI happened as a direct consequence of the failure of St. Joseph Health to carry out a complete risk analysis as well as a safety evaluation on a server before using it to share records having ePHI. The computer network had been bought and a file sharing app set up, however, no modifications were made to the app. The default safety settings were left in position, which permitted any person with an Internet link to access the ePHI in the records.
SJH had employed freelancers to assess dangers and identify safety weaknesses which could possibly be abused to access ePHI, but OCR examiners concluded those assessments were “carried out in a patchwork way and didn’t lead to an enterprise-wide risk examination,” which breached the HIPAA Safety Law.
Declaring the settlement, Jocelyn Samuels, OCR Director said “Bodies should not just carry out a complete risk analysis, but should also assess and tackle possible safety risks when applying enterprise modifications affecting ePHI” She said, “The HIPAA Safety Rules’ particular requirements to tackle operational and environmental modifications are vital for the safety of patient data.”
2016 is actually a record-breaking year for HIPAA settlements. So far, OCR has finalized 12 agreements with protected bodies in 2016, with protected bodies paying over $22,855.00 to OCR to settle possible HIPAA breaches revealed during data break inquiries.
As Samuels described in a latest blog post, “We expect that our resolution settlements will offer a model for other health care bodies to take the practical measures necessary to make sure conformity with HIPAA requirements.”