March 30, 2020

March 29, 2020

Subscribe to Latest Legal News and Analysis

March 28, 2020

Subscribe to Latest Legal News and Analysis

March 27, 2020

Subscribe to Latest Legal News and Analysis

Conduct Thorough HIPAA Risk Analysis or Pay Big Fines

St. Joseph Health recently agreed to pay $2.14 million to settle allegations by the Department of Health and Human Services Office for Civil Rights Office (“OCR”) that its data security was inadequate.

In its investigation of St. Joseph’s handling of a 2012 data breach that exposed 31,800 patient medical records, OCR claimed St. Joseph did not change the default settings on a new server, which allowed members of the public to access via search engines the personal health information of 31,800 patients for a full year. By failing to switch off its servers’ default setting, St. Joseph potentially violated the HIPAA Security Rule’s requirement to conduct a technical and nontechnical evaluation of any operational changes that might affect the security of ePHI.

In addition to paying $2.14 million, St. Joseph Health agreed to implement a corrective action plan that requires it to conduct an enterprise-wide risk analysis, develop and implement a risk management plan, revise its policies and procedures, and train its staff on these policies and procedures. St. Joseph had conducted an enterprise-wide risk analysis in 2010, but the OCR deemed that to be inadequate because the analysis did not include an evaluation of the technical specifications of St. Joseph’s servers.

This settlement indicates that OCR enforcement efforts will continue to focus on investigating the systemic root causes of data breaches – including the failure of healthcare entities to perform accurate and thorough risk assessments. This settlement arrives only a few months after OCR entered into settlements with Advocate Healthcare, Oregon Health & Science University, and the University of Mississippi Medical Center for $5.5 million, $2.7 million, and $2.75 million, respectively. In these cases, the OCR also found the medical centers failed to properly conduct enterprise-wide risk analyses that covered all ePHI, among other things.

To comply with the HIPAA Security Rule, healthcare providers should conduct regular enterprise-wide risk analyses to all, not just some, of its ePHI; implement policies and procedures that limit physical access to electronic information systems; and adopt processes that will identify any changes in their environments, operations electronic, or information systems that might affect the security of ePHI. Any analysis should include a technical evaluation of servers that maintain or transmit ePHI. OCR and HHS have created tools to help entities conduct an effective risk analysis, including HHS’ Risk Assessment Tool and OCR’s Final Guidance on Risk Analysis.

Copyright Holland & Hart LLP 1995-2020.


About this Author

Kim C. Stanger, Holland Hart, Health care Lawyer, HIPAA Attorney, Technology

Clients in the healthcare industry trust Mr. Stanger to provide sophisticated and nuanced counsel on everything from simple healthcare transactions to more complicated regulatory matters.

Mr. Stanger guides clients through simple and complex healthcare transactions, including practitioner and payor contracts; joint ventures; practice formations, acquisitions, and mergers; conversions; and physician integration. He helps clients comply with numerous laws and regulations governing healthcare, including Stark, the Anti-Kickback Statute, HIPAA,...

Romaine C. Marshall, Holland Hart, Software Technology Litigation Lawyer, Arbitration Attorney

Mr. Marshall is a litigation and trial attorney in the Salt Lake City office who represents businesses in the software, technology, financial and technical services, and energy and natural resources industries. He distills complex factual and legal issues to effectively persuade judges, juries, and opposing parties at trial and arbitration. He also counsels clients how to avoid the business expense and disruption of litigation and trial through settlement, pretrial dispositive relief, and other dispute resolution options. Mr. Marshall has represented clients in disputes before and on behalf of numerous federal and state agencies including the SEC, FDIC, FBI, IRS, and the Utah Department of Insurance.

Prior to joining Holland & Hart, Mr. Marshall was a judicial law clerk for the Honorable J. Thomas Greene for the U.S. Federal District Court in Utah.

Software and Technology Litigation

  • Obtained injunctive relief and favorable settlement for telecommunications provider in data breach and misappropriation of trade secrets case.

  • Successfully opposed attempts to cease operations of software company in California and defended company's former CEO in Utah against claims for fraud, data theft, and trade secret misappropriation.

  • Successfully defended software distribution and CRM company in California and negotiated voluntary dismissal of all claims by software manufacturer.

C. Matt Sorensen, Holland Hart, regulatory compliance attorney, data breach management lawyer

Mr. Sorensen is a Certified Information Systems Security Professional (CISSP) and Certified Information Privacy Professional in both the United States and Europe (CIPP/US and CIPP/E), focusing his practice on domestic and international data privacy and cybersecurity law. He advises companies across industries on breach prevention, cyber-attack preparedness, information governance,  regulatory compliance, and data breach management. In particular, he helps clients understand how to create and implement effective compliance programs and controls...