A HIPAA penalty settlement of $3,000,000 has been agreed between the Department of Health and Human Services’ Office for Civil Rights (OCRand the Santa Barbara, CA-based healthcare provider Cottage Health in relation to a HIPAA compliance breach.
Cottage Health runs four different hospitals in California, including Santa Barbara Cottage Hospital, Santa Ynez Cottage Hospital, Goleta Valley Cottage Hospital and Cottage Rehabilitation Hospital.
In 2013 and 2015, Cottage Health suffered two security incidents that lead to the exposure of the electronic protected health information (ePHI) of 62,500 clients.
In 2013, Cottage Health noticed a server containing patients’ ePHI had not been properly safeguarded. Files including patients’ ePHI could be obtained over the internet without the requirement for a username or password. Files on the server included patient names, addresses, dates of birth, diagnoses, conditions, lab test results and other treatment details.
Another improperly configured server was discovered in 2015. After replying to a troubleshooting ticket, the IT team deleted protection on a server which similarly exposed patients’ ePHI over the internet. Patient names, addresses, dates of birth, social security numbers, diagnoses, conditions, and other treatment details could all be accessed without the need for username or password.
OCR looked into the breaches and Cottage Health’s HIPAA compliance efforts. OCR found out that Cottage Health had not conducted a comprehensive, organization-wide risk analysis to determine dangers and vulnerabilities to the confidentiality, integrity, and availability of ePHI, as required by 45 C.F.R. § 164.308(a)(l)(ii)(A).
Risks and flaws had not been reduced to a reasonable and acceptable level, as outlined in 45 C.F.R. § 164.308(a)(l )(ii)(B).
Periodic technical and non-technical evaluations following environmental or operational changes had not been completed, which breached 45 C.F.R. § 164.308(a)(8).
OCR also discovered Cottage Health had not completed into a HIPAA-complaint business associate agreement (BAA) with a contractor that managed ePHI: A violation of 45 C.F.R. § 164.308(b) and 164.502(e).
Along with to the financial penalty, Cottage Health has agreed to implement a 3-year Corrective Action Plan (CAP). The CAP requires Cottage Health to complete a comprehensive, organization-wide risk analysis to determine all risks to the confidentiality, integrity, and availability of ePHI. Cottage Health must also develop and implement a risk management plan to address all security risks and vulnerabilities identified during the risk analysis. The risk analysis must be reviewed on a yearly basis and following any environmental or operational changes. A process for reviewing environmental or operational changes must also be implemented.
Cottage Health must also put in place and distribute written policies and procedures covering the HIPAA Privacy and Security Rules and must provide training for all staff on the new policies and processes. Cottage Health must also report to OCR every 12 months on the status of its CAP for the following three years.
OCR Director Roger Severino said “Our record year underscores the need for covered entities to be proactive about data security if they want to avoid being on the wrong end of an enforcement action. The Cottage settlement reminds us that information security is a dynamic process and the risks to ePHI may arise before, during, and after implementation covered entity makes system changes.”