Health System Pays for HIPAA Violations

Posted by BAS - 28 July, 2016

header-picture

The Department of Health and Human Services Office of Civil Rights entered into a resolution agreement with Oregon Health & Science University for HIPAA violations.  OHSU agreed to pay $2.7 million and implement a corrective action plan.

In 2013, OHSU reported to HHS two separate HIPAA breaches.  The first breach, reported in March, resulted from a stolen laptop computer.  The laptop was not encrypted.  A second breach, reported in March, resulted from storing electronic protected health information at an internet-based service provider without a business associate.

HHS’s investigation uncovered widespread vulnerabilities in the OHSU HIPAA compliance program.  The entity’s risk assessment did not cover all electronic protected health information at the entity, and OHSU lacked policies and procedures to protect, detain and correct violations.

The resolution included a three-year corrective action plan along with fines.


Recent Posts

Question of the Week - Mid-Year Enrollment for Health Coverage

read more

OCR Reports to Congress on HIPAA Compliance and Breaches of Unsecured Protected Health Information

read more

Find your QELs in MyEnroll360

read more