Oregon Health & Science University (OHSU) had a data breach in 2013 that resulted in a recently-assessed $2.7 million HIPAA violation settlement. The sad thing was, they knew they had these problem (as they had run several risk analyses that showed issues), but didn’t take measures to fix them. While OHSU is a large teaching hospital, the lessons learned here are lessons that apply to any business of any size – medical or otherwise — that has access to electronic protected health information (ePHI). Read on for a few things that OHSU could have done to help prevent this from happening.
The investigation by the U.S. Department of Health and Human Services Office for Civil Rights (OCR) found widespread issues and problems at OHSU. Weston takes HIPAA seriously, and we’ve published how we interpret important HIPAA regulations. OCR’s investigation led them to believe that OHSU’s C-suite of managers didn’t take HIPAA compliance seriously. Among the issues that were found that could have been easily addressed:
- Get Business Associate Agreements (BAA) Signed By Your Vendors: This is a good test for vendors. If they won’t sign a BAA, you shouldn’t be doing business with them, and you should never be storing patient data on that service. OHSU stored ePHI of over 3,000 individuals on a cloud server without that BAA signed.
- Encrypt Your Machines: Disk encryption is your “Get Out Of Jail Free” card. If a laptop or desktop is stolen or lost and you can prove that the drive was encrypted, it is not a reportable violation. An OHSU doctor had his laptop stolen from his vacation rental, which contained the records of 4,022 patients. Long ago, it could be argued that full-disk encryption was cumbersome and a huge performance hit. That hasn’t been the case for years. It could have been argued that it was too expensive. It’s not. It’s a heck of a lot cheaper than a $2.7 million fine. And if it were a performance hit, we’d complain – we’re running it on our desktops and laptops. We’re on computers all day, every day – if anybody would complain, we would.
- Get Your Policies and Procedures Together and Follow Them: From the news release: “OHSU also lacked policies and procedures to prevent, detect, contain, and correct security violations and failed to implement a mechanism to encrypt and decrypt ePHI or an equivalent alternative measure for ePHI maintained on its workstations, despite having identified this lack of encryption as a risk.”
- When you Run Risk Assessments, Fix What’s Found: OHSU ran risk assessments in 2003, 2005, 2006, 2008, 2010, and 2013. The problem is that they seemed to fail to resolve the findings of those assessments. Not only that, but their analyses didn’t cover everything. OCR’s investigation found that these analyses did not cover all ePHI in OHSU’s enterprise, as required by the Security Rule. They did find vulnerabilities and risk to ePHI in many areas, and OHSU did not act in a timely manner to implement measure to address these issues.
HIPAA is a very time consuming set of regulations but it was implemented to ensure that critical patient data is protected. Besides the loss of confidentiality a breach can incur, new threats such as ransomware can completely halt access to critical patient information that could result in danger to patients. HIPAA is best practices designed to minimize this risk. Confused by HIPAA and looking to get some help? Contact us today and we can help you avoid the pitfalls described above.