The OCR resolution agreement with OHSU provides a lot of specific details on what happened plus what OCR expects of entities. As we often do, reviewing a resolution agreement like the OCR resolution agreement with OHSU is well worth the time. The links are available for you to check it out for yourself. Join us in this episode as we discuss our thoughts on the case.
- March 23, 2013 Oregon Health & Science University notified HHS of a breach due to a stolen unencrypted laptop.
- May 1, 2013 OCR notifies them they are investigating the incident
- July 28, 2013 Oregon Health & Science University notified HHS of another breach resulting from storing ePHI at an internet-based service provider without a business associate agreement
- November 8, 2013 OCR notifies them they are investigating the new incident
- July 18, 2016 settlement announced for $2.7 million and a 3 year CAP
- From March 23, 2013 until July 2019 they will be dealing with OCR
Noted clips from the OCR press release
“From well-publicized large scale breaches and findings in their own risk analyses, OHSU had every opportunity to address security management processes that were insufficient. Furthermore, OHSU should have addressed the lack of a business associate agreement before allowing a vendor to store ePHI,” said OCR Director Jocelyn Samuels. “This settlement underscores the importance of leadership engagement and why it is so critical for the C-suite to take HIPAA compliance seriously.”
OHSU performed risk analyses in 2003, 2005, 2006, 2008, 2010, and 2013, but OCR’s investigation found that these analyses did not cover all ePHI in OHSU’s enterprise, as required by the Security Rule. While the analyses identified vulnerabilities and risks to ePHI located in many areas of the organization, OHSU did not act in a timely manner to implement measures to address these documented risks and vulnerabilities to a reasonable and appropriate level. OHSU also lacked policies and procedures to prevent, detect, contain, and correct security violations and failed to implement a mechanism to encrypt and decrypt ePHI or an equivalent alternative measure for ePHI maintained on its workstations, despite having identified this lack of encryption as a risk.
What did we learn from the OCR resolution agreement with OHSU?
The list of violations found in investigation according to the OCR resolution agreement with OHSU includes:
- Disclosed PHI to ISP server that is non-HIPAA compliant from Jan 5, 2011 – July 3, 2013 – over 2 years
- No BAA – Didn’t have a BAA with ISP who owned the server for over 2 years
- No P&P – Didn’t implement P&P to prevent, detect, contain, and correct security violations for over two years
- No encryption plan or equivalent alternative measure from July 12, 2010 to PRESENT
- No P&P – From May 29, 2013 – July 3, 2013 failed to implement P&P to address security incidents
- 3 that went on over 2 years
- 1 for over 6 years
- 1 small one only a couple of months
The total fines could have been $18 million or more if it had not been settled.