Oregon Health & Science University (“OHSU”) has paid $2.7 million to the U.S. Department of Health and Human Services, Office for Civil Rights (“OCR”) to settle allegations that it violated the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). OHSU must also comply with a three-year corrective action plan.

OCR began an investigation of OHSU’s compliance with HIPAA after OCR received notice from OHSU in 2013 that (i) an OHSU laptop computer was stolen resulting in a breach of unsecured electronic protected health information (“ePHI”), and (ii) OHSU stored ePHI with an internet-service provider without a business associate agreement, which is required under HIPAA.

OCR determined that OHSU:

  • Failed to implement policies and procedures to prevent, detect, contain, and correct security violations;
  • Failed to implement a mechanism to encrypt and decrypt ePHI for all ePHI maintained in OHSU’s enterprise; and
  • Failed to implement policies and procedures to address security incidents.

OCR Director, Jocelyn Samuels, announced:

From well-publicized large scale breaches and findings in their own risk analyses, OHSU had every opportunity to address security management processes that were insufficient. Furthermore, OHSU should have addressed the lack of a business associate agreement before allowing a vendor to store ePHI. This settlement underscores the importance of leadership engagement and why it is so critical for the C-suite to take HIPAA compliance seriously.

To read the press release, click here.

To read the Resolution Agreement and Corrective Action Plan, click here.