Compared to other data breaches we’ve seen in recent years, these two incidents were quite small, but that only serves to underscore just how important the government places on them, and the sanctity of PHI (protected health information).
The first incident involved an unencrypted laptop stolen from a surgeon’s vacation home in Hawaii in February, 2013. The second breach, also in 2013 involved Oregon Health & Science University’s use of a cloud-based data storage service without a business associate agreement.
An in-depth investigation later revealed that the two incidents, first thought to be unrelated were, in fact, related, and involved physicians-in-training from OHSU’s medical department posting unencrypted spreadsheets filled with patient information on Google’s cloud-based email and document storage services.
The fines were an outgrowth of the fact that while OHSU performed risk analyses consistently, their analyses did not cover all ePHI, enterprise wide. OHSU also failed to act in a timely manner to implement measures to address at-risk documents, despite two well-publicized data breaches and the findings of their own risk analyses.
According to OCR’s Directory, Jocelyn Samuels, “This settlement underscores the importance of leadership engagement, and why it is so critical for the C-suite to take HIPAA compliance seriously.”
The message could not be more clear. If your company must deal with HIPAA regulations, and your own risk analyses indicates points of weakness or potentially problematic areas where PHI is concerned, then you should already be moving aggressively to correct any noncompliant behaviors.
If you’re unsure, and you don’t want to take any chances, then contact us today, and one of our knowledgeable staff members can help you review your policies and procedures, to ensure that you are and remain in full compliance.