HRCAlerts102616_Failure

A nonprofit California health system has agreed to pay $2,140,500 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules, announced the U.S. Department of Health and Human Services' Office for Civil Rights (OCR) on October 18, 2016. The health system reported to OCR in February 2012 that certain files in its meaningful use program, which contained electronic protected health information (ePHI), had been publicly accessible via Google, and possibly other internet search engines, during the previous year. The health system stored the files on a server that included a file-sharing application whose default setting was never altered from one that allowed access to anyone with an internet connection, OCR said. This gave the public unrestricted access to ePHI containing patient names, health statuses, diagnoses, and demographic information of 31,800 individuals. "Entities must not only conduct a comprehensive risk analysis, but must also evaluate and address potential security risks when implementing enterprise changes impacting ePHI," said OCR's director in a press release. "The HIPAA Security Rule's specific requirements to address environmental and operational changes are critical for the protection of patient information." The health system also agreed to a three-year corrective action plan that will require it to conduct an enterprise-wide risk analysis, develop and implement a risk management plan, revise current policies and procedures, and train staff.

HRC Recommends: The HIPAA Security Rule specifies that covered entities and business associates must identify risks and vulnerabilities with regard to the confidentiality, integrity, and availability of their ePHI; determine what controls are effective in meeting each Security Rule implementation standard; assess the effectiveness of their current security efforts; prioritize actions; implement an action plan; monitor effectiveness; and make appropriate changes as reasonably necessary. Despite this rule, OCR audits consistently find that such risk analyses do not occur or are insufficient.

Topics and Metadata

Topics

Health Information Privacy; Laws, Regulations, Standards

Caresetting

Clinical Specialty

Roles

Healthcare Executive; Legal Affairs; Risk Manager

Information Type

News

Phase of Diffusion

Technology Class

Clinical Category

UMDNS

SourceBase Supplier

Product Catalog

MeSH

ICD 9/ICD 10

FDA SPN

SNOMED

HCPCS

Disease/Condition

Publication History

Published October 26, 2016

Who Should Read This

Corporate compliance; HIPAA security officer, Legal affairs, Security

Areas of Focus

Featured Memberships & Services

Failure to Alter Default Settings on Internet Server Leads to $2.1 Million HIPAA Settlement