After an incident exposed the protected health information of 31,800 people, the organization failed to conduct a proper risk analysis, according to federal officials.
St. Joseph Health will pay $2,140,500 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 Privacy and Security Rules.
At issue, according to the Office for Civil Rights, which oversees HIPAA rules, were files containing electronic protected health information that were publicly accessible through internet search engines from 2011 until 2012.
SJH, a nonprofit integrated Catholic healthcare delivery system sponsored by the St. Joseph Health Ministry, will also adopt a comprehensive corrective action plan as part of the settlement.
The health system operates 14 acute care hospitals, home health agencies, hospice care, outpatient services, skilled nursing facilities, community clinics and physician organizations throughout California and in parts of Texas and New Mexico.
On Feb. 14, 2012, SJH reported to OCR that certain files it created for its participation in the meaningful use program, which contained electronic PHI, were publicly accessible on the Internet from Feb. 1, 2011, until Feb. 13, 2012, via Google and also perhaps through other search engines.
The server SJH purchased to store the files included a file-sharing application whose default settings allowed anyone with an Internet connection to access them. The problem occurred after SJH rolled out the server and the file-sharing application, but failed to examine and evaluate how they were working.
The public had unrestricted access to PDF files containing the ePHI of 31,800 individuals, including patient names, health statuses, diagnoses, and demographic information.
Moreover, OCR concluded that although SJH hired contractors to assess the risks and vulnerabilities to the confidentiality, integrity and availability of ePHI, the work was conducted in a patchwork fashion and did not result in an enterprise-wide risk analysis, as required by the HIPAA Security Rule.
“Entities must not only conduct a comprehensive risk analysis, but must also evaluate and address potential security risks when implementing enterprise changes impacting ePHI,” OCR Director Jocelyn Samuels said in a statement.
In addition to the monetary settlement, SJH has agreed to a corrective action plan that requires the organization to conduct an enterprise-wide risk analysis, develop and implement a risk management plan, revise its policies and procedures, and train its staff on these policies.