HIPAA Violations Still In the News

Last week, St Joseph’s Health (SJH) made headlines for HIPAA violations. They will be paying over 2 million to settle their fines. According to the Office for Civil Rights (OCR), who oversees HIPAA rules, SJH has files containing PHI publicly accessible through online search engines between 2011-2012. As part of the settlement, St Joseph’s will also be adopting a corrective action plan.

The server SJH purchased to store the files included a file-sharing application whose default settings allowed anyone with an Internet connection to access them. After they rolled out the server and file-sharing application, SJH failed to review the results of these efforts. The public had unrestricted access to PDF files containing the PHI of 31,800 patients.

While they had hired contractors to assess the risks, the OCR concluded that SJH did not take enough steps to protect the “confidentiality, integrity and availability of ePHI”. Their steps did not result in an enterprise-wide risk analysis, as required by the HIPAA Security Rule.

Alarming Trend

While making headlines and drawing ire, HIPAA violations are alarmingly common. AAP recently reported a crackdown on small practices that were in violation. Care New England was hit with $400k worth of fines as well. A summer publication by the OCR revealed huge gaps in compliance with HIPAA for contingency planning, as well as issues around backing up health records.

Organizations are not taking the steps to adequately protect themselves. These fines are only the tip of the iceberg – the actual cost of these violations is significantly more. Aside from legal expenses, the programs to prevent future violations also have significant costs. Being proactive could have saved these organizations millions of dollars.

In SJH’s case, they should have verified the controls and context for releasing the data on that online server. Alternatively, had they de-identified the data (as per HIPAA’s Privacy Rule), they could have released data on that server and limited the risk – and costs – of release.

A lot of organizations are taking the right steps to protect PHI and comply with HIPAA, but these headlines show organizations may not know what the right steps are. Privacy Analytics created Risk Monitor to fit this purpose. Risk Monitor measures the risk of re-identification in data sets so organizations can move past “steps” to ensure they are confident when sharing sensitive data. Watch the overview to learn more.

Free Webinar: De-Identification 101

Join Privacy Analytics for a high level introduction of de-identification and data masking.
Watch now

Free Download: De-Id 101

You have Successfully Subscribed!