2.7 Million Dollar HIPAA Settlement

King & Spalding

Last week, Oregon Health & Science University (“OHSU”) agreed to pay $2.7 million to resolve potential violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule, Privacy Rule, and Breach Notification Rule.  OHSU is a public academic health center and research university located in Portland, Oregon. 

In 2013, OHSU notified the United States Department of Health and Human Services, Office for Civil Rights (“OCR”), of two breach incidents.  The first incident occurred when an unencrypted laptop containing electronic protected health information (“ePHI”) was stolen.  The second incident occurred when OHSU employees stored ePHI on an internet-based storage system, also known as a cloud storage, in order to maintain spreadsheets of patients.  In that incident, there was no evidence that the stored ePHI was accessed or used by anyone who did not have a legitimate need to view the information.  However, the breach resulted because the cloud storage service provider was not an OHSU business associate with a contractual agreement to use or store OHSU patient health information as required by 45 C.F.R. § 164.308(b)

After receiving the notifications from OHSU, OCR initiated an investigation and found that OHSU had implemented policies and procedures pursuant to the HIPAA Rules.  However, OCR found that OHSU failed to fully comply with the HIPAA Rules during certain time periods.  For instance, from January 5, 2011, until July 3, 2013, OHSU failed to “implement policies and procedures to prevent, detect, contain, and correct security violations” as required by 45 C.F.R. § 164.308(a)(1)(i).

OCR has the authority to conduct compliance reviews and investigations of complaints alleging violations of the HIPAA Rules.  Specifically, the HIPAA Security Rule sets forth certain safeguards for ePHI.  HIPAA covered entities and business associates must comply with the requirements of the HIPAA Rules.  OHSU  is a covered entity, as defined at 45 C.F.R. § 160.103.

The settlement between OCR and OHSU resolves these potential violations by OHSU of the HIPAA Rules.  According to the settlement, OHSU will pay $2.7 million and comply with a corrective action plan.  Under the corrective action plan, OHSU must develop and maintain a comprehensive risk management plan and implement a solution that will ensure all OHSU owned and personally-owned devices that access ePHI on OHSU’s secure network are encrypted.  In addition, OHSU must provide privacy and security training for all OHSU workforce members with access to PHI and ePHI.  OCR will monitor OHSU’s compliance with the corrective action plan over the next three years.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© King & Spalding | Attorney Advertising

Written by:

King & Spalding

King & Spalding on:

Reporters on Deadline

Related Case Law

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.