$3m HIPAA Settlement Agreed between Cottage Health and OCR

A HIPAA fine settlement of $3,000,000 has been agreed between the Division of Health and Human Services’ Office for Civil Rights and the Santa Barbara, CA-based healthcare provider Cottage Health in relation to a HIPAA breach.

Cottage Health manages four different hospitals in California, including Santa Barbara Cottage Hospital, Santa Ynez Cottage Hospital, Goleta Valley Cottage Hospital, and Cottage Rehabilitation Hospital.

In 2013 and 2015, Cottage Health suffered two safety incidents that led to the disclosure of the electronic protected health information (ePHI) of 62,500 clients.

In 2013, Cottage Health noticed a server having patients’ ePHI had not been correctly protected. Files containing patients’ ePHI might be obtained over the internet without the requirement for a username or password. Files on the server contained patient names, addresses, dates of birth, diagnoses, conditions, lab test results, and other cure details.

Another incorrectly configured server was found in 2015. After responding to a troubleshooting ticket, the IT team erased protection on a server which similarly disclosed patients’ ePHI over the internet. Patient names, addresses, dates of birth, social security numbers, diagnoses, conditions, and other cure details might all be retrieved without the need for username or password.

OCR looked into the breaches and Cottage Health’s HIPAA compliance attempts. OCR found out that Cottage Health had not carried out a complete, organization-wide risk analysis to verify dangers and vulnerabilities to the secrecy, integrity, and availability of ePHI, as required by 45 C.F.R. § 164.308(a)(l)(ii)(A).

Dangers and vulnerabilities had not been decreased to a reasonable and acceptable level, as defined in 45 C.F.R. § 164.308(a) (l) (ii) (B).

Periodic technical and non-technical assessments after environmental or operational modifications had not been finished, which breached 45 C.F.R. § 164.308(a) (8).

OCR also found Cottage Health had not entered into a HIPAA-complaint business associate agreement (BAA) with a contractor that administered ePHI: A breach of 45 C.F.R. § 164.308(b) and 164.502(e).

Together with the financial penalty, Cottage Health has agreed to apply a 3-year Corrective Action Plan (CAP). The CAP requires Cottage Health to finalize a thorough, organization-wide risk analysis to decide all dangers to the secrecy, integrity, and availability of ePHI. Cottage Health should also develop and apply a risk management plan to tackle all safety risks and vulnerabilities identified during the risk analysis. The risk analysis should be reviewed on a yearly basis and after any environmental or operational modifications. A procedure for reviewing environmental or operational modifications should also be applied.

Cottage Health should also creäte and distribute written procedures and policies covering the HIPAA Secrecy and Safety Rules and must provide training for all staff on the new procedures and policies. Cottage Health must also report to OCR every 12 months on the status of its CAP for the following three years.

OCR Director Roger Severino said “Our record year highlights the need for protected units to be proactive about data safety if they want to avoid being on the wrong end of an enforcement action. The Cottage settlement reminds us that information safety is a dynamic procedure and the risks to ePHI may arise before, during, and after implementation protected unit makes system changes.”