This past summer, multiple HIPAA OCR settlements were reached. Each of the settlements are explained in this two-part blog series:

St. Joseph Health
St. Joseph Health recently agreed to a $2,140,500 settlement after it was reported that it had made files containing ePHI accessible to the public from 2011 to 2012. St. Joseph notified OCR of the breach on February 14, 2012. The breach occurred when St. Joseph bought a new server to store its files. The new server had a file sharing application that defaulted to allowing anyone with internet access to be able to access the files. OCR stated, “Evidence indicated that St. Joseph failed to conduct an evaluation in response to the environment and operational changes presented by implementation of a new server for its meaningful use project, thereby compromising the security of ePHI.”

Care New England Health System
In September 2016, Care New England Health System (CNE) agreed to a $400,000 HIPAA settlement for having not properly adhered to business associate requirements. Woman & Infants Hospital of Rhode Island, a CNE covered entity, lost an unencrypted backup tape containing the ultrasound studies of approximately 14,000 individuals. OCR stated, “A business associate agreement was in place, but it was not updated until August 28, 2015 and did not incorporate revisions required under the HIPAA Omnibus Final Rule.”

Advocate Health Care
In one of the largest HIPAA settlements to date, Advocate Health Care agreed to a $5.55 million settlement in August 2016. The settlement is a result of multiple HIPAA violations and noncompliance issues. Three breach notification reports were sent to HHS between August 23, 2013 and November 1, 2013. The OCR stated that Advocate needs to modify its existing risk analysis, development and implement a risk management plan, implement a process of evaluating environmental and operational changes, and develop an encryption report.