HIPAA Vulnerabilities Highlighted in Oregon Health & Science University Settlement

Logan Parker
Privacy Editor
Loyola University Chicago School of Law, LL.M in Health Law 2017


In 2013, Oregon Health & Science University (“OHSU”), Oregon’s only academic health center, reported numerous breaches of unsecured electronic protected health information (“ePHI”), including two breaches within the span of five months. This led to the Office of Civil Rights (“OCR”) levying a burdensome financial penalty and corrective action plan (“CAP”) upon OHSU.

One breach involved the theft of a laptop computer and another the storage of more than 3,000 individuals protected health information within a cloud-based server. This storage was obtained without OHSU first obtaining a valid executed Business Associate Agreement (“BAA”). OCR promptly opened up an investigation into OHSU’s Health Insurance Portability and Accountability Act (“HIPAA”) compliance program. During its investigation, OCR discovered that although OHSU performed risk analyses over the years, these analyses did not cover all ePHI in OHSU’s enterprise, as well as OHSU failure to act expeditiously to mitigate issues identified to reasonable and appropriate level, and inability to implement proper security controls.


As a result of the OHSU’s conduct and OCR’s findings, OHSU agreed to settle the potential violations of the HIPAA Privacy and Security Rules by entering into a comprehensive three-year CAP and paying a monetary penalty of $2,700,000.

Corrective Action Plan

OHSU agreed to the following corrective action obligations:

  1. Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to ePHI held by OHSU;
  2. Develop a comprehensive risk management plan;
  3. Provide Health and Human Services (“HHS”) with its completed risk analysis and risk management plan within 310 days of the Effective Date of the CAP;
  4. Implement a Mobile Device Management solution that will ensure all mobile devices that access ePHI are encrypted;
  5. Create a solution to enforce encryption of ePHI on OHSU-owned and personally owned devices and periodically test the effectiveness of that solution;
  6. Employ policies that prohibit transfer of data containing ePHI from OHSU devices to unencrypted moveable storage device and create a solution to enforce these policies;
  7. Communicate to OHSU’s community describing its commitment to enterprise encryption;
  8. Provide HHS with OHSU’s security training materials (this training should encapsulate HIPAA Privacy and Security Rule features);
  9. Seek approval of OHSU training materials by HHS;
  10. Train all of OHSU’s community and review such training material annually;
  11. Report staff’s HIPAA non-compliance to HHS and investigate the matters;
  12. Submit Annual Reports to HHS regarding OHSU’s compliance with CAP; and
  13. Retain documents and records relating to compliance for six (6) years from the Effective Date of the CAP.

If OHSU breaches the CAP, it has a limited period of time to cure the breach. If the breach is not cured by the end of that period of time, HHS will render an additional monetary penalty against OHSU.

Lessons Learned

OHSU had opportunities to rectify insufficient HIPAA processes and procedures, including addressing the absence of the BAA with the cloud-based server provider. OCR Director Jocelyn Samuels says that the OHSU settlement highlights “the importance of leadership engagement” and why it is so critical for a company’s executive leadership to take HIPAA compliance seriously.

Moreover, the vulnerabilities noted by HHS in the settlement could have been prevented with an effective compliance program. This settlement should emphasize how necessary the rudimentary compliance measures are; specifically written policies and procedures, adequate training, internal monitoring and auditing, and responding to inefficiencies and addressing them.