It was recently reported that St. Joseph Health will pay $2,140,500 to settle HIPAA violations that occurred in 2011 and 2012. According to the OCR, on February 14, 2012 St. Joseph reported that certain files it had created to attest for meaningful use which contained electronic PHI were publically accessible on the internet from February 1, 2011 through February 13, 2012. These documents were discoverable by Google and other search engines. Contained in the PDF files were the ePHI of 31,800 individuals including patient names, health statuses, diagnoses, and demographic information.
Additionally, the OCR found that although St. Joseph had hired contractors to assess their risk and vulnerability in regards to the confidentiality, integrity, and availability of ePHI, the work done did not meet HIPAA requirements for an enterprise-wide risk analysis.
In addition to the financial settlement, St. Joseph has agreed to implement a corrective action plan that requires the completion of an enterprise-wide risk analysis, the development and implementation of a risk management plan, a revision of its policies and procedures, and staff training on new policies and procedures.