Monday, November 28, 2016

$2.14 million HIPAA settlement underscores importance of managing security risk


PARCA eNews – Oct. 18, 2016 – St. Joseph Health (SJH) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules following the report that files containing electronic protected health information (ePHI) were publicly accessible through internet search engines from 2011 until 2012.


On February 14, 2012, SJH reported to the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) that certain files it created for its participation in the meaningful use program, which contained ePHI, were publicly accessible on the internet from Feb. 1, 2011, until Feb. 13, 2012, via Google and possibly other internet search engines. SJH operates 12 hospital systems, and 16 medical groups in Texas and California,

The server SJH purchased to store the files included a file sharing application whose default settings allowed anyone with an internet connection to access them. Upon implementation of this server and the file sharing application, SJH did not examine or modify it. As a result, the public had unrestricted access to PDF files containing the ePHI of 31,800 individuals, including patient names, health statuses, diagnoses, and demographic information.

In addition to the $2,140,500 settlement, SJH has agreed to a corrective action plan that requires the organization to conduct an enterprise-wide risk analysis, develop and implement a risk management plan, revise its policies and procedures, and train its staff on these policies and procedures. The Resolution Agreement and Corrective Action Plan may be found on the OCR website.

No comments:

Post a Comment

Followers