HIPAA Settlement Emphasizes “Living” Security Risk Assessment
On October 18, 2016, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) released details of a $2.14 million settlement and corrective action plan with St. Joseph Health, a nonprofit, multi-facility health system serving California, Texas and New Mexico (SJH).
In February 2012, SJH reported a breach involving 31,800 patient files that were publicly accessible on the internet for a period of over one year. SJH purchased a new server and the file sharing application on the server had a default setting that allowed for public access. The information that was publicly accessible included names, diagnoses and demographic information, among other information, but did not include social security numbers or financial information.
A key finding from OCR’s investigation relates to the HIPAA requirement for covered entities and business associates to conduct a security risk assessment. OCR found that the new server created an “environmental or operational” change, which required a review of, or update to, SJH’s security risk assessment. OCR states that SJH compromised the security of its electronic protected health information because it did not perform an evaluation in response to the addition of the new server.
Notably, after the discovery of the breach to the present, OCR found that SJH “failed to satisfactorily conduct an accurate and thorough analysis of the potential risks and vulnerabilities” to its electronic protected health information. This provides a key take away to covered entities and business associates that changes in processes, equipment, software and similar items necessitate a review and potentially an update of the entity’s security risk assessment.
SJH’s settlement with OCR follows a $15 million class action lawsuit settlement, pursuant to which SJH agreed to pay $7.5 million to the 31,800 impacted patients and the remaining $7.5 million for attorneys’ fees and legal costs. The class action settlement also required SJH to establish a $3 million fund, permitting patients who could demonstrate that they suffered losses to apply for up to $25,000 each.
As evidenced by the time lapse between this breach and the settlement, it seems as though OCR is continuing to work its way through its enforcement of breaches reported over the last several years.
The SJH Resolution Agreement and Corrective Action Plan can be found here.