The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) is reporting that St. Joseph Health (SJH) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules following the report that files containing electronic protected health information (ePHI) were publicly accessible through internet search engines from 2011 until 2012.
SJH, a nonprofit integrated Catholic health care delivery system sponsored by the St. Joseph Health Ministry, will pay a settlement and adopt a comprehensive corrective action plan.
Background:
On February 14, 2012, SJH reported to the U.S. Department of Health and Human Services, OCR that certain files it created for its participation in the meaningful use program, which contained ePHI, were publicly accessible on the internet from February 1, 2011, until February 13, 2012, via Google and possibly other internet search engines. The server SJH purchased to store the files included a file sharing application whose default settings allowed anyone with an internet connection to access them. Upon implementation of this server and the file sharing application, SJH did not examine or modify it. As a result, the public had unrestricted access to PDF files containing the ePHI of 31,800 individuals, including patient names, health statuses, diagnoses, and demographic information.
In addition to the $2,140,500 settlement, SJH has agreed to a corrective action plan that requires the organization to conduct an enterprise-wide risk analysis, develop and implement a risk management plan, revise its policies and procedures, and train its staff on these policies and procedures.
Key Take-aways:
This case provides an excellent example of the need for HIPAA-covered entities to be ever vigilant about HIPAA compliance. Organizations should ensure they:
- Conduct enterprise-wide risk analysis of security risks and vulnerabilities that incorporates all electronic equipment, data systems, and applications controlled, administered, or owned by the organization or its workforce members, (including affiliated staff) that contains, stores, transmits, or receives ePHI.
- Regularly complete a thorough inventory of all electronic equipment, data systems, and applications that contain or store ePHI, which should then be incorporated in its risk analysis.
- Develop and implement and regularly review an organization-wide risk management plan to address and mitigate any security risks and vulnerabilities identified in the risk analysis.
- Have policies and procedures that ensure they are complying with 45 C.P.R. 164.502(a) which outline requirements for uses and disclosures of health information.
- Regularly conducts training for all personnel on acceptable uses and disclosures of ePHI.
See the StayAlert! Notice, published on October 19, 2016, for policies and procedures related to managing HIPAA related security risks.