OCR Settles Potential Security Rule Violations for $2.14 Million

The Office for Civil Rights (OCR) recently settled with St. Joseph Health (SJH) for $2.14 million to address allegations that SJH violated the Health Insurance Portability and Accountability Act (HIPAA) following a breach that affected the electronic protected health information (ePHI) of 31,800 individuals. SJH is a nonprofit health system that includes 14 hospitals and various other health care entities, including hospice and home health providers. In 2012, SJH self-reported to OCR that one of its network servers had been configured so as make the ePHI stored in one of the server’s applications publically accessible. OCR noted that SJH purchased the server in 2011, and did not change the default security settings, which made the ePHI accessible through at least the Google search engine.

OCR’s investigation determined that SJH had failed to evaluate how the new server would affect the rest of its ePHI security infrastructure, as required by the HIPAA Security Rule. OCR further noted that SJH failed to fulfill the Security Rule’s requirement to conduct an enterprise-wide risk analysis by taking a “patchwork” approach to analyzing the risks and vulnerabilities to its ePHI.

TIP: This settlement is a reminder that businesses subject to HIPAA would be well served to review their Security Rule policies and procedures to ensure that they appropriately account for enterprise-wide risk analyses in response to operational or business changes that may affect the security of their ePHI.