St. Joseph Health, an integrated delivery system based in Irvine, California, has reached an agreement with the U.S. Department of Health and Human Services' (HHS) Office for Civil Rights (OCR) under which it will pay more than $2.1 million to settle alleged HIPAA violations. HHS announced the settlement on October 18.

The health system includes 14 acute care hospitals along with home health agencies, nursing homes, clinics and physician groups. In February 2012, St. Joseph reported to the OCR that an improperly configured computer server had left the protected health information (PHI) of 31,800 patients from five of its hospitals accessible to Google searches. The default setting of a file-sharing application on the server exposed the records, which included patient names, diagnoses, lab results and other health information.

The OCR's investigation found that St. Joseph had failed to perform an evaluation of the computer application and server configuration after implementing them, as required by the HIPAA Security Rule. This failure caused the patient records, stored in PDF files, to be unprotected and publicly accessible online for more than a year.

OCR also found that although St. Joseph hired contractors to assess the risks and vulnerabilities of its electronic PHI, "this was conducted in a patchwork fashion and did not result in an enterprise-wide risk analysis," as the Security Rule requires.

In addition to the monetary settlement, St. Joseph agreed to a corrective action plan that requires it to conduct a full risk analysis, develop and implement a risk management plan, revise its HIPAA policies and procedures, and properly train its staff on HIPAA matters.

For more articles and regular updates on legislative changes, regulatory developments and other news of interest to businesses, professionals and investors in the healthcare industry, please subscribe to Day Pitney's mailing lists.

Click here for more Healthcare Blogs from Day Pitney

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.