St. Joseph Health, an integrated delivery system based in
Irvine, California, has reached an agreement with the U.S. Department
of Health and Human Services' (HHS) Office for Civil Rights
(OCR) under which it will pay more than $2.1 million to settle
alleged HIPAA violations. HHS announced the settlement on
October 18.
The health system includes 14 acute care hospitals along with home
health agencies, nursing homes, clinics and physician groups. In
February 2012, St. Joseph reported to the OCR that an improperly
configured computer server had left the protected health
information (PHI) of 31,800 patients from five of its hospitals
accessible to Google searches. The default setting of a
file-sharing application on the server exposed the records, which
included patient names, diagnoses, lab results and other health
information.
The OCR's investigation found that St. Joseph had failed to
perform an evaluation of the computer application and server
configuration after implementing them, as required by the HIPAA
Security Rule. This failure caused the patient records, stored in
PDF files, to be unprotected and publicly accessible online
for more than a year.
OCR also found that although St. Joseph hired contractors to assess
the risks and vulnerabilities of its electronic PHI, "this was
conducted in a patchwork fashion and did not result in an
enterprise-wide risk analysis," as the Security Rule
requires.
In addition to the monetary settlement, St. Joseph agreed to a
corrective action plan that requires it to conduct a full risk
analysis, develop and implement a risk management plan, revise its
HIPAA policies and procedures, and properly train its staff on
HIPAA matters.
For more articles and regular updates on legislative changes, regulatory developments and other news of interest to businesses, professionals and investors in the healthcare industry, please subscribe to Day Pitney's mailing lists.
Click here for more Healthcare Blogs from Day Pitney
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.