Oregon Health and Science University (OHSU) is a highly ranked public university in Portland, Oregon. On March 23, 2013, as acovered entity under HIPAA, the university had to assign itself a failing grade in protecting electronic personal health information (ePHI) in its custody.
Multiple ePHI breaches
OHSU reported multiple breaches to the U.S. Department of Health and Human Services Office for Civil Rights (OCR). The reports disclosed the following:
- An OHSU surgeon took his laptop to a Hawaii vacation rental. The laptop was not encrypted. Someone stole the computer along with information on 4,022 patients.
- New physicians in OHSU’s residency program used a cloud storage device to maintain information on 3,044 patients in the plastic surgery, urology, and kidney transplant programs.
No business associate contract
When OCR investigators dug further, they uncovered “widespread vulnerabilities” in OHSU’s HIPAA compliance. Included was OHSU’s failure to execute a business associate contract with the residents’ online storage provider.
Sensitive patient data compromised
OCR investigators identified a “significant risk of harm” to 1,361 of the 3,044 individuals whose data was posted on line, by virtue of the “extremely sensitive nature” of their diagnoses and illnesses.
Breaches occurred despite multiple risk analyses
The HIPAA Security Rule (45 C.F.R., 164-302) requires covered entities to perform risk analysis, and the OCR publishes periodicguidance. In its investigation, OCR found that OHSU did risk analyses from 2003 through 2013, but failed to include all records under OSHU’s custody. Moreover, OCR found, OHSU identified risks and vulnerabilities and actually documented them. Unfortunately, OSHU took no follow up action, particularly at the management level.
Here’s how the July 18, 2016, HHS new release put it:
OHSU also lacked policies and procedures to prevent, detect, contain, and correct security violations and failed to implement a mechanism to encrypt and decrypt ePHI or an equivalent alternative measure for ePHI maintained on its workstations, despite having identified this lack of encryption as a risk.
Nearly 3 million reasons to be HIPAA compliant
The cost to OHSU was a monetary settlement–they don’t call it a fine, but it is, really–of $2.7 million. Along with the settlement, OHSU must implement a comprehensive three-year corrective action plan (CAP)–which, not coincidentally is just about everything the HIPAA Security Rule requires covered entities to follow.
The OHSU CAP
Under the agreement OSHU must:
1. Do an accurate and thorough assessment of the risks and vulnerabilities to their data and include their facilities located outside of Portland, Oregon. Including everything–systems, networks, and devices–that handle ePHI.
2. Develop a risk management plan that is comprehensive and:
- explains OHSU’s ongoing strategy to enforce security measures, which are realistically based on OHSU’s circumstances
- includes a comprehensive, organization-wide plan to ensure supervision and oversight of the OHSU staff in HIPAA-related measures
- provides timelines and expected completion dates for implementing the risk management plan
3. Tighten its mobile device management program by inventorying, encrypting and controlling all OHSU-owned as well as personally-owned mobile devices. Enforce and prohibit restrictions on the transfer of ePHI to personally-owned and unencrypted removable storage devices.
4. Develop a security awareness and training program for everyone in the OHSU community. The program must include awareness of privacy and security related to:
- using internet-based storage services
- disclosures to third-parties and the need for business associate agreements
- training managers in effective supervision of their workforce in disclosures of personal health information
- how to report a security incident or a data breach
- how to manage passwords
OHSU has 90 days to provide the documented training materials for HHS review and approval.
Want to save millions?
Remote Technology Services is the trusted choice when it comes to staying ahead of the latest HIPAA developments, information technology tips, tricks, and news. Contact us at (800) 478--8105 or send us an email at firstname.lastname@example.org for more information.