Skip to content Skip to navigation

St. Joseph Health to Pay $2.14M in HIPAA Settlement

October 19, 2016
by Rajiv Leventhal
| Reprints
OCR investigation revealed poor risk security management

St. Joseph Health (SJH) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy and security rules following reports that files containing sensitive health data were publicly accessible through Internet search engines from 2011 to 2012.  

SJH, an integrated healthcare delivery system sponsored by the St. Joseph Health Ministry, “will pay a settlement amount of $2,140,500 and adopt a comprehensive corrective action plan,” according to an announcement from the U.S. Department of Health and Human Services (HHS). SJH’s network includes 14 acute care hospitals, home health agencies, hospice care, outpatient services, skilled nursing facilities, community clinics and physician organizations throughout California and in parts of Texas and New Mexico.

In 2012, SJH reported to HHS’ Office for Civil Rights (OCR) that certain files it created for its participation in the Meaningful Use program, which contained electronic protected health information, or ePHI, were publicly accessible on the internet from February 1, 2011, until February 13, 2012, via Google and possibly other internet search engines.

The server SJH purchased to store the files included a file sharing application whose default settings allowed anyone with an internet connection to access them. Upon implementation of this server and the file sharing application, SJH did not examine or modify it. As a result, the public had unrestricted access to PDF files containing the ePHI of 31,800 individuals, including patient names, health statuses, diagnoses, and demographic information, HHS reported.

An investigation from OCR specifically revealed: from 2011 to 2012, SJH potentially disclosed the PHI of 31,800 individuals; evidence indicated that SJH failed to conduct an evaluation in response to the environmental and operational changes presented by implementation of a new server for its meaningful use project, thereby compromising the security of ePHI; and although SJH hired a number of contractors to assess the risks and vulnerabilities to the confidentiality, integrity and availability of ePHI held by SJH, evidence indicated that this was conducted in a patchwork fashion and did not result in an enterprise-wide risk analysis, as required by the HIPAA security rule.

As such, in addition to the settlement, SJH has agreed to a corrective action plan that requires the organization to conduct an enterprise-wide risk analysis, develop and implement a risk management plan, revise its policies and procedures, and train its staff on these policies and procedures.

“Entities must not only conduct a comprehensive risk analysis, but must also evaluate and address potential security risks when implementing enterprise changes impacting ePHI,” said OCR Director Jocelyn Samuels. “The HIPAA security rule’s specific requirements to address environmental and operational changes are critical for the protection of patient information.”

Get the latest information on Cybersecurity and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More

Topics

News

Two Republican Senators Unveil Proposed ACA Replacement Bill

Two Republican Senators, Bill Cassidy of Louisiana and Susan Collins of Maine, on Monday unveiled a proposed bill, called The Patient Freedom Act of 2017, that, rather than dismantling the Affordable Care Act (ACA), offered a partial replacement that would allow states to continue operating under the law if they choose.

Norris Cochran Tapped to Serve as Acting Secretary at HHS

Norris Cochran has been tapped to serve as Acting Secretary of the U.S. Department of Health and Human Services (HHS) following the departure of former HHS Secretary Sylvia Burwell as part of the ongoing Trump Administration transition.

Consumers Increasingly Willing to Try Telehealth, New Survey Finds

About one in five consumers said they would switch their current primary care provider (PCP) if another PCP in their area offered telehealth visits, according to American Well’s latest survey.

New York Presbyterian Brooklyn Methodist Revalidated as EMRAM Stage 7

Due to its use of RFID technology to improve patient care and outcomes, New York Presbyterian Brooklyn Methodist Hospital (NYPBMH) has received acute care Stage 7 revalidation on the HIMSS Analytics Electronic Medical Record Adoption Model (EMRAM).

Dana Alexander Named 2016 HIMSS Nursing Informatics Leadership Award Winner

Dana Alexander, R.N., has been named the recipient of the 2016 HIMSS-ANI Nursing Informatics Leadership Award, a joint award sponsored by Alliance for Nursing Informatics (ANI) and HIMSS.

Agency Leadership Update: Collins Stays at NIH, Bindman Leaves AHRQ

As President-elect Donald Trump is sworn in as the United States’ 45th president at noon today, there has been an ongoing administration shuffle as agency leaders have stepped down as part of the presidential transition.