United States: OCR's Recent $2.7 Million Settlement With Oregon Health & Science University Highlights The Importance Of HIPAA Compliance Follow-Up

​The U.S. Department of Health and Human Services Office for Civil Rights (OCR) and Oregon Health & Science University (OHSU) recently entered into a resolution agreement to settle potential violations of HIPAA's Privacy and Security Rules. OHSU is a large, Portland-based public academic health center and research university, that includes two hospitals and several clinics throughout Oregon. Under terms of the settlement, OHSU agreed to pay a $2,700,000 fine and implement a comprehensive three-year corrective action plan.

In 2013, OHSU came under OCR scrutiny after reporting multiple security incidents involving electronic protected health information (ePHI), which included thefts of an unencrypted laptop computer and an unencrypted thumb drive. The resulting investigation identified a significant number of problems with OHSU's HIPAA compliance efforts.

Notably, OHSU was found to be storing ePHI—including credit card and payment information, diagnoses, procedures, photos, driver's license numbers and Social Security numbers—on a vendor's cloud-based server without having a business associate agreement in place with the vendor.  OCR deemed that arrangement a clear violation of the Privacy Rule.  

OCR further determined while OHSU had performed six risk analyses in the period from 2003 through 2013, those analyses failed to satisfy the Security Rule's requirement that they address all ePHI in OHSU's possession. OHSU also failed to timely and appropriately address vulnerabilities that those analyses did identify. Specifically, the Resolution Agreement notes that OHSU "failed to implement policies and procedures to prevent, detect, contain, and correct security violations," "failed to implement a mechanism to encrypt and decrypt ePHI or an equivalent alternative measure for ePHI maintained in OHSU's enterprise," and "failed to implement policies and procedures to address security incidents." 

The OHSU enforcement action and settlement highlights an important concept for HIPAA covered entities: it is not sufficient to periodically review your HIPAA compliance program. You must also promptly and fully address any vulnerabilities your compliance review uncovers. Failure to follow up not only leaves your organization exposed to security incidents and regulatory enforcement actions, but will also render your compliance review efforts worthless and a waste of time. 

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.