HIPAA Violations Still In the News
Last week, St Joseph’s Health (SJH) made headlines for HIPAA violations. They will be paying over 2 million to settle their fines. According to the Office for Civil Rights (OCR), who oversees HIPAA rules, SJH has files containing PHI publicly accessible through online search engines between 2011-2012. As part of the settlement, St Joseph’s will also be adopting a corrective action plan.
The server SJH purchased to store the files included a file-sharing application whose default settings allowed anyone with an Internet connection to access them. After they rolled out the server and file-sharing application, SJH failed to review the results of these efforts. The public had unrestricted access to PDF files containing the PHI of 31,800 patients.
While they had hired contractors to assess the risks, the OCR concluded that SJH did not take enough steps to protect the “confidentiality, integrity and availability of ePHI”. Their steps did not result in an enterprise-wide risk analysis, as required by the HIPAA Security Rule.
While making headlines and drawing ire, HIPAA violations are alarmingly common. AAP recently reported a crackdown on small practices that were in violation. Care New England was hit with $400k worth of fines as well. A summer publication by the OCR revealed huge gaps in compliance with HIPAA for contingency planning, as well as issues around backing up health records.
Organizations are not taking the steps to adequately protect themselves. These fines are only the tip of the iceberg – the actual cost of these violations is significantly more. Aside from legal expenses, the programs to prevent future violations also have significant costs. Being proactive could have saved these organizations millions of dollars.
In SJH’s case, they should have verified the controls and context for releasing the data on that online server. Alternatively, had they de-identified the data (as per HIPAA’s Privacy Rule), they could have released data on that server and limited the risk – and costs – of release.
A lot of organizations are taking the right steps to protect PHI and comply with HIPAA, but these headlines show organizations may not know what the right steps are. Privacy Analytics created Risk Monitor to fit this purpose. Risk Monitor measures the risk of re-identification in data sets so organizations can move past “steps” to ensure they are confident when sharing sensitive data. Watch the overview to learn more.
- Can you comply your way to greatness?November 21, 2019
- When to Integrate Anonymization of Documents and DataSeptember 26, 2019
- Deep-Diving into Re-identification: Perspectives On An Article In Nature CommunicationsSeptember 26, 2019
- Learning at Scale: Anonymizing Unstructured Data using AI/MLSeptember 26, 2019
- Early Impact of Health Canada’s New GuidelinesJune 21, 2019
- GDPR and The Future of Clinical Trials Data SharingMarch 18, 2019
- Advancing Principled Data Practices in Support of Emerging TechnologiesMarch 15, 2019
- “Zero Risk Does Not Exist”February 7, 2019
- Is Anonymization Possible with Current Technologies?January 9, 2019
- Comparing the benefits of pseudonymisation and anonymisation under the GDPRDecember 20, 2018