When St. Joseph Health created files containing electronic protected health information to aid in its Meaningful Use efforts in 2011, little did officials at the Irvine, California-based health system realize that decision would end up costing it millions of dollars.
This week, the Department of Health and Human Services Office for Civil Rights reached a $2.14 million settlement with the nonprofit integrated Catholic healthcare system, more than four years after the organization reported that those files had been publicly accessible on the internet from Feb. 1, 2011, until Feb. 13, 2012.
Data for 31,800 individuals was compromised, including patient names, health statuses, diagnoses and demographic information. The individuals were patients at a number of the health system's facilities, including but not limited to Mission Hospital Regional Medical Center, St. Jude Hospital, Queen of the Valley Medical Center, Santa Rosa Memorial Hospital and Petaluma Valley Hospital Auxiliary.
Last March, St. Joseph was ordered to pay $7.5 million to those patients as part of a class-action lawsuit settlement.
OCR’s investigation determined that the provider did not evaluate the potential environmental and operational changes of launching a new server to aid in its Meaningful Use efforts. The agency also called St. Joseph’s efforts to assess the risks and vulnerabilities associated with the ePHI “patchwork.”
“Entities must not only conduct a comprehensive risk analysis, but must also evaluate and address potential security risks when implementing enterprise changes impacting ePHI,” OCR Director Jocelyn Samuels said in a statement. “The HIPAA Security Rule’s specific requirements to address environmental and operational changes are critical for the protection of patient information.”
This marks the 12th time in 2016 that OCR has reached a settlement with or fined an entity over HIPAA violations. Other entities to settle with OCR this year include Advocate Health Care ($5.55 million), Care New England Health System ($400,000) and Raleigh Orthopaedic Clinic ($750,000).
In 2015, OCR settlements totaled $6.2 million.