Another big HIPAA fine was announced today by the U.S. Department of Health and Human Services Office for Civil Rights (OCR). Oregon Health & Science University (OHSU), which is up the hill from my alma mater Portland State University, has agreed to pay a whopping $2,7000,000 to settle HIPAA violations found during an investigation by OCR.
The investigation began after OHSU submitted several breach reports that affected thousands of individuals. The breaches included:
- 2 stolen unencrypted laptops
- A stolen unencrypted thumb drive
- Storage of ePHI with a cloud-based vendor without a Business Associate Agreement in place
If these types of breaches sound familiar, it’s because they are! We’ve previously written about these same types of offenses happening to others:
- Stolen Laptops Continue to Result in Huge HIPAA Fines
- HIPAA Fines caused by Stolen Thumb Drives
- HIPAA Business Associate Agreements are Required by Law
Risk Analysis must cover HIPAA Security and Privacy Rules
Although OHSU did perform risk analyses, OCR’s investigation found these analyses did not cover their entire enterprise, as required by the HIPAA Security Rule. In addition, while vulnerabilities and risks to PHI were found in many areas of the organization, OHSU did not act in a timely manner to implement measures to address these risks. Furthermore, OHSU lacked policies and procedures to prevent, detect, and correct security violations. Lastly, they failed to implement disk encryption for their workstations, despite having identified this lack of encryption as a risk.
Disk Encryption can be done for Free
Regardless of whether you can use a Mac or a PC, free disk encryption utilities are available for each operating system. Encrypting your computer’s hard drive is a crucial component of HIPAA compliance and should not be overlooked.
SEE ALSO: Free Disk Encryption for Mac OS