Oregon Health & Science University has agreed to pay $2.7 million and work through a three-year corrective action plan after a federal investigation found “widespread and diverse problems” with its data protection.
Since 2012, the university has submitted to the Office for Civil Rights at HHS four reports of data breaches involving the records of more than 500 individuals each, including the storage of data on more than 3,000 individuals “on a cloud-based server without a business associate agreement.”
The data was placed by OHSU resident physicians on either Google's Gmail or Drive cloud services and was discovered by a faculty member in 2013, the university reported at the time.
In the latter breach, “OCR found significant risk of harm to 1,361 of these individuals due to the sensitive nature of their diagnoses,” according to a statement by the agency, which has primary federal enforcement authority over the Health Insurance Portability and Accountability Act privacy, security and breach notification rules. In addition to diagnoses, the data exposed credit card and payment information, procedures, photos, driver's license numbers and Social Security numbers, the OCR statement said.
The agency also learned OHSU performed six HIPAA-mandated healthcare data risk assessments from 2003 through 2013, but some of them did not cover all protected health information held by the university.
“OHSU also lacked policies and procedures to prevent, detect, contain, and correct security violations and failed to implement a mechanism to encrypt and decrypt ePHI or an equivalent alternative measure for ePHI maintained on its workstations, despite having identified this lack of encryption as a risk,” the statement said.
The use of encryption is not required under HIPAA, but if it's not used, the HIPAA covered entity has to use an adequate substitute to protect the data.
“With mobile devices, that's clearly becoming a norm,” that if they're carrying patient-identifiable information, they'll be encrypted,” said Kirk Nahra, a lawyer and privacy expert with Wiley Rein in Washington, D.C. “If you have a data on laptops and mobile devices, you better have a damn good reason” not to have it encrypted.
The size of the monetary settlement, while not the largest in history, was above average among the three dozen or so reached by the OCR over HIPAA violations since the first was reached in 2008.
Nahra said that's likely because the university had some identifiable preventable security failings, like a comprehensive risk plan.
"Also, this is a facility that has had a series of these events and that's not irrelevant," he said.
