Webinar replay: Personal Health Information: Hospitals, Health Plans, and Human Resources

Event Date: Thursday, October 13, 2016

Headlines screaming about the mishandling of personal health information have become ubiquitous in the media. Employers handling health records are rightly concerned about their liability for the protection of such data. So where should an anxious employer begin?

This free webinar replay provides employers with an overview of their legal obligations, focusing significantly on health care providers, covered entities, and business associates under HIPAA, as well as the handling of health information from health insurance, medical leave, or disability, and covers GINA, the FMLA, and the ADA.

Replay this webinar to get real answers to questions like:

  • What obligations do organizations have to secure protected health information (PHI) under HIPAA?
  • What can HIPAA-covered entities and business associates expect from OCR audits and compliance investigations?
  • What other laws must employers consider when dealing with health information?

Oregon university pays $2.7M, agrees to corrective action plan following breaches

Data breaches affecting thousands of people have resulted in Oregon Health & Science University (OHSU) settling with HHS to resolve allegations of potential Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191) violations. The settlement includes a $2.7 million payment as well as the implementation of a corrective action plan (CAP). The HHS Office for Civil Rights (OCR) stated that OHSU failed to correct system security issues despite several opportunities to do so.

Risk analysis and breaches

Between 2003 and 2013, OHSU performed six risk analyses that did not cover all electronic protected health information (ePHI) as required. Despite this limitation, widespread vulnerabilities were identified. OHSU did not properly implement security measures to address these issues and failed to create policies and procedures to allow the university to prevent, detect, and address security violations. Risk analysis revealed that lack of encryption was a vulnerability, but ePHI was still not encrypted.

As a result of OHSU’s inaction, several breaches occurred. Unencrypted laptops and a stolen unencrypted thumb drive resulted in several breaches. Protected information about thousands of people was stored on a cloud server without a proper security agreement. Over a thousand people had a diagnosis of a sensitive nature, presenting a significant risk of harm. This server also contained payment information, photos, Social Security numbers, driver’s license numbers, and procedures.

Resolution agreement

OHSU’s resolution agreement with HHS establishes OHSU’s responsibility to implement the CAP and pay the fee. In exchange, HHS releases OHSU from actions the agency could take due to the confidentiality issues. The CAP places various obligations on OHSU, starting with a thorough assessment of all risks and vulnerabilities to ePHI at all facilities, including all systems, networks, and devices that handle ePHI. A risk management plan must be created for implementing security measures and submitted to HHS for review and approval. HHS must also receive regular updates about encryption status and updates regarding OHSU’s compliance under the CAP.