Last week, Oregon Health & Science University (“OHSU”) agreed to pay $2.7 million to resolve potential violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule, Privacy Rule, and Breach Notification Rule. OHSU is a public academic health center and research university located in Portland, Oregon.
In 2013, OHSU notified the United States Department of Health and Human Services, Office for Civil Rights (“OCR”), of two breach incidents. The first incident occurred when an unencrypted laptop containing electronic protected health information (“ePHI”) was stolen. The second incident occurred when OHSU employees stored ePHI on an internet-based storage system, also known as a cloud storage, in order to maintain spreadsheets of patients. In that incident, there was no evidence that the stored ePHI was accessed or used by anyone who did not have a legitimate need to view the information. However, the breach resulted because the cloud storage service provider was not an OHSU business associate with a contractual agreement to use or store OHSU patient health information as required by 45 C.F.R. § 164.308(b).
After receiving the notifications from OHSU, OCR initiated an investigation and found that OHSU had implemented policies and procedures pursuant to the HIPAA Rules. However, OCR found that OHSU failed to fully comply with the HIPAA Rules during certain time periods. For instance, from January 5, 2011, until July 3, 2013, OHSU failed to “implement policies and procedures to prevent, detect, contain, and correct security violations” as required by 45 C.F.R. § 164.308(a)(1)(i).
OCR has the authority to conduct compliance reviews and investigations of complaints alleging violations of the HIPAA Rules. Specifically, the HIPAA Security Rule sets forth certain safeguards for ePHI. HIPAA covered entities and business associates must comply with the requirements of the HIPAA Rules. OHSU is a covered entity, as defined at 45 C.F.R. § 160.103.
The settlement between OCR and OHSU resolves these potential violations by OHSU of the HIPAA Rules. According to the settlement, OHSU will pay $2.7 million and comply with a corrective action plan. Under the corrective action plan, OHSU must develop and maintain a comprehensive risk management plan and implement a solution that will ensure all OHSU owned and personally-owned devices that access ePHI on OHSU’s secure network are encrypted. In addition, OHSU must provide privacy and security training for all OHSU workforce members with access to PHI and ePHI. OCR will monitor OHSU’s compliance with the corrective action plan over the next three years.