Dive Brief:
- The Oregon Health & Science University (OHSU) agreed to settle potential HIPAA violations following a federal investigation for $2.7 million.
- HHS' Office for Civil Rights investigating OHSU after the university submitted multiple breach reports affecting thousands of individuals.
- The report included two reports involving unencrypted laptops and a large breach involving a missing unencrypted thumbdrive.
Dive Insight:
OCR found after investigating records back to 2003 that OHSU did not act in a timely manner to implement changes within the organization to address documented risks. The university was also found to have lacked policies and procedures to prevent and detect HIPAA violations.
In addition, OHSU failed to implement an electronic patient health information (ePHI) encryption and decryption mechanism or an equivalent alternative measure for such information maintained on the organization's workstations.
“From well-publicized large scale breaches and findings in their own risk analyses, OHSU had every opportunity to address security management processes that were insufficient," said OCR Director Jocelyn Samuels in a prepared statement. "Furthermore, OHSU should have addressed the lack of a business associate agreement before allowing a vendor to store ePHI. This settlement underscores the importance of leadership engagement and why it is so critical for the C-suite to take HIPAA compliance seriously.”
Under the HIPAA regulations, doctors, nurses, and “covered entities” cannot disclose personal health information without the patient’s written authorization. That includes the patient’s name, age, address and phone number diagnosis, treatment, payment or anything else that could be construed as PHI.