{"id":159,"date":"2016-09-09T16:31:03","date_gmt":"2016-09-09T16:31:03","guid":{"rendered":"http:\/\/blogs.luc.edu\/compliance\/?p=159"},"modified":"2016-09-09T16:31:03","modified_gmt":"2016-09-09T16:31:03","slug":"hipaa-vulnerabilities-highlighted-in-oregon-health-science-university-settlement","status":"publish","type":"post","link":"https:\/\/blogs.luc.edu\/compliance\/?p=159","title":{"rendered":"HIPAA Vulnerabilities Highlighted in Oregon Health &amp; Science University Settlement"},"content":{"rendered":"<p><em>Logan Parker<\/em><br \/>\n<em>Privacy Editor<\/em><br \/>\n<em>Loyola University Chicago School of Law, LL.M in Health Law 2017<\/em><\/p>\n<p>&nbsp;<\/p>\n<p>In 2013, Oregon Health &amp; Science University (\u201cOHSU\u201d), <a href=\"http:\/\/www.ohsu.edu\/xd\/about\/index.cfm\">Oregon\u2019s only academic health center<\/a>, reported numerous breaches of unsecured electronic protected health information (\u201cePHI\u201d), including two breaches within the span of five months. This led to the Office of Civil Rights (\u201cOCR\u201d) levying a burdensome financial penalty and corrective action plan (\u201cCAP\u201d) upon OHSU.<\/p>\n<p>One breach involved the theft of a laptop computer and another the storage of more than <a href=\"http:\/\/www.modernhealthcare.com\/article\/20160720\/NEWS\/160729993\">3,000 individuals protected health information<\/a> within a cloud-based server. This storage was obtained without OHSU first obtaining a valid executed Business Associate Agreement (\u201cBAA\u201d). OCR promptly opened up an investigation into OHSU\u2019s Health Insurance Portability and Accountability Act (\u201cHIPAA\u201d) compliance program. <a href=\"https:\/\/www.hhs.gov\/about\/news\/2016\/07\/18\/widespread-hipaa-vulnerabilities-result-in-settlement-with-oregon-health-science-university.html\">During its investigation<\/a>, OCR discovered that although OHSU performed risk analyses over the years, these analyses did not cover all ePHI in OHSU\u2019s enterprise, as well as OHSU failure to act expeditiously to mitigate issues identified to reasonable and appropriate level, and inability to implement proper security controls.<\/p>\n<p><strong>Settlement <\/strong><\/p>\n<p>As a result of the OHSU\u2019s conduct and OCR\u2019s findings, OHSU agreed to settle the potential violations of the HIPAA Privacy and Security Rules by entering into a comprehensive three-year CAP and paying a monetary penalty of $2,700,000.<\/p>\n<p><strong>Corrective Action Plan <\/strong><\/p>\n<p>OHSU agreed to the following <a href=\"https:\/\/www.hhs.gov\/sites\/default\/files\/ohsuracap_508.pdf\">corrective action obligations<\/a>:<\/p>\n<ol>\n<li>Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to ePHI held by OHSU;<\/li>\n<li>Develop a comprehensive risk management plan;<\/li>\n<li>Provide Health and Human Services (\u201cHHS\u201d) with its completed risk analysis and risk management plan within 310 days of the Effective Date of the CAP;<\/li>\n<li>Implement a Mobile Device Management solution that will ensure all mobile devices that access ePHI are encrypted;<\/li>\n<li>Create a solution to enforce encryption of ePHI on OHSU-owned and personally owned devices and periodically test the effectiveness of that solution;<\/li>\n<li>Employ policies that prohibit transfer of data containing ePHI from OHSU devices to unencrypted moveable storage device and create a solution to enforce these policies;<\/li>\n<li>Communicate to OHSU\u2019s community describing its commitment to enterprise encryption;<\/li>\n<li>Provide HHS with OHSU\u2019s security training materials (this training should encapsulate HIPAA Privacy and Security Rule features);<\/li>\n<li>Seek approval of OHSU training materials by HHS;<\/li>\n<li>Train all of OHSU\u2019s community and review such training material annually;<\/li>\n<li>Report staff\u2019s HIPAA non-compliance to HHS and investigate the matters;<\/li>\n<li>Submit Annual Reports to HHS regarding OHSU\u2019s compliance with CAP; and<\/li>\n<li>Retain documents and records relating to compliance for six (6) years from the Effective Date of the CAP.<\/li>\n<\/ol>\n<p>If OHSU breaches the CAP, it has a limited period of time to cure the breach. If the breach is not cured by the end of that period of time, HHS will render an additional monetary penalty against OHSU.<\/p>\n<p><strong>Lessons Learned<\/strong><\/p>\n<p>OHSU had opportunities to rectify insufficient HIPAA processes and procedures, including addressing the absence of the BAA with the cloud-based server provider. <a href=\"https:\/\/www.hhs.gov\/about\/news\/2016\/07\/18\/widespread-hipaa-vulnerabilities-result-in-settlement-with-oregon-health-science-university.html\">OCR Director Jocelyn Samuels<\/a> says that the OHSU settlement highlights \u201cthe importance of leadership engagement\u201d and why it is so critical for a company\u2019s executive leadership to take HIPAA compliance seriously.<\/p>\n<p>Moreover, the vulnerabilities noted by HHS in the settlement could have been prevented with an effective compliance program. This settlement should emphasize how necessary the rudimentary compliance measures are; specifically written policies and procedures, adequate training, internal monitoring and auditing, and responding to inefficiencies and addressing them.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Logan Parker Privacy Editor Loyola University Chicago School of Law, LL.M in Health Law 2017 &nbsp; In 2013, Oregon Health &amp; Science University (\u201cOHSU\u201d), Oregon\u2019s only academic health center, reported numerous breaches of unsecured electronic protected health information (\u201cePHI\u201d), including two breaches within the span of five months. This led to the Office of Civil &#8230;<br \/><a class=\"read-more-link btn btn-outline-secondary\" href=\"https:\/\/blogs.luc.edu\/compliance\/?p=159\">Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[56],"tags":[525,744,1030,1032,1460,1491],"class_list":["post-159","post","type-post","status-publish","format-standard","hentry","category-hipaa-health-information","tag-corrective-action-plan","tag-ephi","tag-hhs","tag-hipaa-2","tag-ocr","tag-oregon-health-science-university"],"_links":{"self":[{"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/posts\/159","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=159"}],"version-history":[{"count":0,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/posts\/159\/revisions"}],"wp:attachment":[{"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=159"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=159"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=159"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}