St. Joseph Health, a nonprofit Catholic healthcare provider has agreed to pay $2,140,500 as part of a settlement over allegations that it violated the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and Security Rule.
The Office for Civil Rights (OCR) says St. Joseph Health failed to properly safeguard patients' files from unauthorized use and access. As a result, the healthcare provider has agreed to pay a near record-setting HIPAA fine, along with implementing a corrective action plan that includes routine risk management, the revision of its policies and procedures, and the retraining of all employees whom work for the company.
The issue at hand dates back to 2012, when St. Joseph Health reported to OCR officials that some its files for the “meaningful use program” were accessible on Google and other search engines from February 1, 2011 through February 13, 2012. These weren't just generic files containing nondescript information, either. The files in question consisted of some 31,800 patients from St. Joseph Health, revealing their names, diagnoses, age, address and other personally identifiable information.
After conducting its investigation, the OCR determined that St. Joseph Health had hired independent contractors to asses the risks to its Electronic Protected Health Information (EPHI). However, these risk assessments were conducted poorly, with the contractor using “patchwork” techniques that ultimately failed to identify major holes.
“The server SJH purchased to store the files included a file sharing application whose default settings allowed anyone with an Internet connection to access them,” said the OCR in a statement when announcing the settlement. “Upon implementation of this server and the file sharing application, SJH did not examine or modify it. As a result, the public had unrestricted access to PDF files containing the ePHI of 31,800 individuals, including patient names, health statuses, diagnoses, and demographic information.”
In case you were wondering, this recent settlement between St. Joseph Health and the OCR makes the total year-to-date HIPAA violations a whopping $22.84 million. In comparison, all HIPAA violations from last year were only $6.2 million.
So, what's causing the increase in HIPAA fines? We've talked about this before, but the OCR and HHS have acknowledged the fact that enforcement was somewhat sub-par. As a result, they've stepped up efforts to identify and enforce the HIPAA Security Rule and Privacy Rule.