HHS Resolution Agreement: Oklahoma State University—Center for Health Sciences (May 10, 2022); HHS News Release (July 14, 2022)
Available at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/osu/index.html
HHS’s Office for Civil Rights (OCR) has announced an $875,000 settlement with a university medical center to resolve potential violations of HIPAA’s privacy, security, and breach notification rules. In January 2018, the medical center filed a breach report stating that an unauthorized third party had gained access in November 2017 to a web server that contained electronic protected health information (PHI). According to the report, the hacker installed malware that resulted in disclosure of the PHI of more than 275,000 individuals, including their names, Medicaid numbers, health care provider names, dates of service, dates of birth, addresses, and treatment information. The medical center later reported the unauthorized access had first occurred in March 2016 and had been discovered in September 2016—but had not been reported previously because the medical center was not aware that PHI was stored on the compromised server. Based on its investigation, OCR determined that the medical center had allowed unauthorized uses and disclosures of PHI and had not implemented adequate security incident response and reporting protocols, conducted an adequate risk analysis or evaluation, adopted adequate audit controls, or provided timely breach notification to individuals or HHS.
In addition to the settlement payment, the medical center agreed to an extensive corrective action plan (CAP). The CAP requires an enterprise-wide risk analysis and corresponding risk management plan, each subject to OCR review and approval. Within 30 days after OCR’s approval, the medical center must revise its privacy, security, and breach notification policies and procedures consistent with the risk analysis and risk management plan. The approved policies and procedures must be distributed to workforce members and incorporated into proposed training materials that, following OCR approval, must be included in training sessions for all workforce members. New workforce members must be trained within 15 days after they start work. The medical center must engage, subject to OCR approval, an independent monitor to analyze and assist with the medical center’s compliance with the CAP. For two years from the effective date, the monitor and the medical center must submit periodic reports to OCR describing compliance with the CAP.
EBIA Comment: A recent OCR cybersecurity newsletter explained how an IT asset inventory can strengthen HIPAA security (see our Checkpoint article). This resolution agreement provides a concrete illustration of the importance of doing a thorough inventory to understand all the places where PHI is created, received, maintained, or transmitted anywhere within a covered entity’s environment. This medical center may have avoided some of the adverse consequences included in the resolution agreement if it had realized at the outset that the compromised server stored PHI. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XX.D (“Resolution Agreements”) and XXX (“Core Security Requirements”).
Contributing Editors: EBIA Staff.