The Department of Health and Human Services’ Office for Civil Rights (OCR) has agreed to settle a HIPAA violation case with Santa Barbara, CA-based Cottage Health for $3,000,000. Cottage Health manages four hospitals in California including Santa Ynez Cottage Hospital, Santa Barbara Cottage Hospital, Cottage Rehabilitation Hospital and Goleta Valley Cottage Hospital.
Cottage Health experienced two security incidents in 2013 and 2015, which together resulted in the exposure of 62,500 patients’ electronic protected health information (ePHI). In 2013, Cottage Health learned that a server storing patients’ ePHI was not appropriately secured. People could have accessed files that contain patients’ ePHI over the internet without a username or password. The compromised files contained patient names, birth dates, addresses, diagnoses, health conditions, laboratory test results and other treatment details.
Cottage Health discovered another server misconfiguration in 2015. When responding to a troubleshooting ticket, IT staff turned off a server’s protection which resulted in the exposure of patients ePHI online. Anyone could access patients’ names, birth dates, addresses, social security numbers, health diagnoses, medical conditions, and other treatment details without a username or password.
OCR looked into both incidents and assessed the HIPAA compliance efforts of Cottage Health. OCR concluded that Cottage Health failed in the following aspects of HIPAA compliance:
- 45 C.F.R. § 164.308(a)(l)(ii)(A) – A comprehensive risk analysis to identify risks and vulnerabilities to the integrity, confidentiality and availability of ePHI.
- 45 C.F.R. § 164.308(a)(l )(ii)(B) – Risk management – Reducing risks to a reasonable and acceptable level.
- 45 C.F.R. § 164.308(a)(8) – Conducting periodic technical and non-technical assessments in response to environmental and operational changes.
- 45 C.F.R. § 164.308(b) and 164.502(e) – The requirement to enter into a business associate agreement (BAA) with all service providers.
Besides the financial penalty, Cottage Health has agreed to follow a 3-year Corrective Action Plan (CAP). The CAP includes conducting a comprehensive organizational risk analysis to find all risks to the integrity, confidentiality and availability of ePHI. Cottage Health needs to develop and follow a risk management plan to deal with all security risks and vulnerabilities found during the risk analysis. The risk analysis should be reviewed yearly and subsequent to any operational or environmental changes. There must also be a process for reviewing operational or environmental changes.
Cottage Health also need to create, employ, and distribute written policies and procedures that cover the HIPAA Privacy and Security Rules. All employees must be trained on the new policies and procedures. Cottage Health must also submit a yearly status report to OCR regarding its CAP for the next three years.
2018 has been a record year for HIPAA fines and settlements. OCR agreed 10 settlements with covered entities and business associates for HIPAA Rules violations and issued one civil monetary penalty in 2018. The $28,683,400 total of the 11 financial penalties exceeded the past record of $23,505,300 set in 2016. OCR also agreed the largest HIPAA settlement ever in 2018. Anthem Inc paid $16,000,000 for alleged HIPAA Rules violations. This settlement was approximately three times bigger than the previous record HIPAA fine – Advocate Health Care Network’s $5.5 million penalty in 2016.