Oregon Health & Science University has signed a HIPAA resolution agreement and corrective action plan with the HHS Office for Civil Rights, which includes a $2.7 million fine following two breaches in 2013.

The healthcare organization announced the agreement and penalty itself, doing so before a formal announcement by the OCR.

The incidents involved a stolen laptop and use of cloud storage services without having a business associate agreement in place. In recent months, OCR enforcement activities have paid particular attention to BAAs, highlighted the importance for healthcare organizations of maintaining appropriate oversight of contractors.

Oregon Health & Science University Hospital
Oregon Health & Science University Hospital M.O. Stevens

Typically, OCR first announces HIPAA enforcement actions and related penalties; in this case, OHSU released news of the action itself. OCR announcements often give its interpretation of a breach and its own presentation of the high points of the action plan.

Following the incidents, OHSU offered identity theft protection services to more than 7,000 affected individuals and implemented a data encryption program. The university notes that no harm has been reported as a result of the breaches.

In a statement, OHSU CIO Bridget Barnes said the university made significant security enhancements after the breaches and now is engaging an external consultant and creating a steering committee to oversee the corrective action plan, which includes identifying and assessing vulnerabilities and risks.

“Patients and healthcare providers benefit significantly from access to electronic health records and emails from various devices and locations; however, this access comes with new security challenges,” Barnes said. “In the face of these challenges, OHSU is proactively working to ensure the creation of a sustainable gold standard for protected health information security and HIPAA compliance.”

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access