The Department of Health and Human Services Office of Civil Rights entered into a resolution agreement with Oregon Health & Science University for HIPAA violations. OHSU agreed to pay $2.7 million and implement a corrective action plan.
In 2013, OHSU reported to HHS two separate HIPAA breaches. The first breach, reported in March, resulted from a stolen laptop computer. The laptop was not encrypted. A second breach, reported in March, resulted from storing electronic protected health information at an internet-based service provider without a business associate.
HHS’s investigation uncovered widespread vulnerabilities in the OHSU HIPAA compliance program. The entity’s risk assessment did not cover all electronic protected health information at the entity, and OHSU lacked policies and procedures to protect, detain and correct violations.
The resolution included a three-year corrective action plan along with fines.