Summary

On October 18, 2016, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced that St. Joseph Health (SJH) agreed to settle allegations relating to the HIPAA Privacy and Security Rules, pay $2.14 million and enter into a corrective action plan (CAP).  This is the 12th settlement announced by OCR in 2016.  The fines imposed by OCR this year from these settlements total approximately $23 million.

SJH, a health care delivery system, includes 14 acute care hospitals, home health agencies, outpatient services, and skilled nursing facilities throughout California and in parts of New Mexico and Texas.  SJH has 24,000 employees, including 6,000 physicians, and provides care to 137,00 inpatients and 3.6 million outpatients annually. 

In February 2012, SJH reported to OCR that PDF files created for SJH’s participation in the HHS meaningful use program that contained protected health information (PHI) of almost 32,000 individuals were publicly accessible on the internet for slightly over one year — from February 2011, through part of February 2012.  The files were made accessible because a new server purchased by SJH to store the meaningful use files included a file sharing application whose default settings allowed anyone with an internet connection to access the files.  The PHI included a combination of patient names, BMI, blood pressure, lab results, smoking status, diagnoses, medication allergies, advance directive status and demographic data, but did not include social security numbers or other financial data. 

OCR’s investigation revealed that SJH failed to perform an evaluation in response to the environmental and operational changes caused by implementing the new server.  Further, neither SJH nor any contractor hired by SJH as part of the server implementation project conducted an enterprise risk analysis required by the HIPAA Security Rule.    

In addition to paying the fine, SJH agreed to do each of the following as part of the CAP:

• conduct an enterprise-wide risk analysis of security risks and vulnerabilities of all electronic equipment, data systems and applications that contain, store, transmit or receive electronic PHI;
• develop a complete inventory of all electronic equipment, data systems, and applications that contain or store electronic PHI;
• develop an organization-wide risk management plan to address and mitigate the security risks and vulnerabilities identified in the risk analysis;
• revise its HIPAA Privacy policies and procedures;
• provide training to all workforce members of the revised policies; and
• submit annual reports to HHS.  

The OCR press release for the SJH settlement and the CAP are available here.

Important Takeaways and Next Steps

The multimillion-dollar SJH settlement underscores the importance for covered entities to have robust HIPAA Security policies and protections in place at all times.  The introduction of a new computer server and the failure to perform an evaluation of this seemingly modest change in IT infrastructure resulted in a breach of PHI affecting thousands of SJH patients, a significant financial penalty and a comprehensive CAP that will keep SJH activities and ongoing HIPAA compliance front and center with the OCR.  

In order to protect electronic PHI, covered entities and business associates should regularly review HIPAA Privacy and Security policies, undertake an enterprise-wide risk analysis, and thereafter implement an appropriate risk management plan.