This week yet another health organization agreed to a large settlement for HIPAA violations, thus serving as an unfortunate example of why managing security risk is critical. St. Joseph Health (SJH), a nonprofit integrated Catholic health care delivery system sponsored by the St. Joseph Health Ministry, will pay $2.14 million for allowing files containing electronic protected health information (ePHI) to be publicly accessible through internet search engines from 2011 until 2012.
In addition to the fine, SJH will adopt a corrective action plan that mandates the organization conducts an enterprise-wide risk analysis, develops and implements a risk management plan, revises its policies and procedures, and trains its staff on these policies and procedures.
Had this process been implemented back in 2012, it’s likely the costly breach could have been avoided altogether. Instead, OCR’s investigation indicated the following potential violations of the HIPAA Privacy and Security Rules:
• From February 1, 2011 to February 13, 2012, SJH potentially disclosed the PHI of 31,800 individuals;
• Evidence indicated that SJH failed to conduct an evaluation in response to the environmental and operational changes presented by implementation of a new server for its meaningful use project, thereby compromising the security of ePHI;
• Although SJH hired a number of contractors to assess the risks and vulnerabilities to the confidentiality, integrity and availability of ePHI held by SJH, evidence indicated that this was conducted in a patchwork fashion and did not result in an enterprise-wide risk analysis, as required by the HIPAA Security Rule.
Just because some parts of SJH were secure did not keep all of its parts safe. It’s much like locking your front door and garage, but leaving your patio door open. Your whole house becomes an easy break-in for thieves. Might as well leave a plate of cookies out for the scoundrels. Or, you could check that all your doors and windows are locked, the security alarm is turned on, and Fido is guarding the front door. In other words, manage your security risk to the fullest and you won’t have to share your cookies, or your private data.
Read more about the settlement here. Find out more here about how the HIPAA experts at PrivaPlan can assist you with an enterprise-wide risk analysis. We are here to help. Contact us at info@privaplan.com or call 877-218-7707.