Oklahoma State University Settles HIPAA Case with OCR for $875,000

Posted By HIPAA Journal on Jul 15, 2022

The Division of Well being and Human Companies’ (HHS) Workplace for Civil Rights (OCR) has introduced that Oklahoma State College – Middle for Well being Sciences (OSU-CHS) has agreed to settle a HIPAA investigation stemming from an online server hacking incident and has agreed to pay a monetary penalty of $875,000 to resolve potential violations of the HIPAA Privateness, Safety, and Breach Notification Guidelines.

OSU-CHS is a public land-grant analysis college that gives preventive, rehabilitative, and diagnostic care in Oklahoma. OCR launched a HIPAA investigation after receiving a breach report on January 5, 2018, in response to the hacking of an OSU-CHS internet server. OSU-CHS decided that malware had been put in on the server which allowed the hacker(s) to entry the digital protected well being data of 279,865 people.

The data uncovered and doubtlessly obtained by an unauthorized third celebration included names, Medicaid numbers, healthcare supplier names, dates of service, dates of beginning, addresses, and remedy data. OSU-CHS initially declared that the info breach occurred on November 7, 2017; nonetheless, it was later reported that the hackers first had entry to the ePHI of sufferers 20 months earlier on March 9, 2016,

OCR investigators decided OSU-CHS had doubtlessly violated the next provisions of the HIPAA Guidelines:

• Impermissible disclosure of the ePHI of 279,865 people – 45 C.F.R. § 164.502(a)
• Failure to conduct a complete and correct organization-wide danger evaluation –45 C.F.R. § 164.308(a)(l)(ii)(A)
• Failure to carry out a periodic technical and nontechnical analysis in response to environmental or operational modifications affecting the safety of ePHI – 45 C.F.R. 164.308(a)(8)
• Failure to implement audit controls – 45 C.F.R. § 164.312(b)
• A safety incident response and reporting failure – 45 C.F.R. § 164.308(a)(6)(ii)
• Failure to supply well timed breach notification to affected people – 45 C.F.R. § 164.404
• Failure to supply well timed breach notification to the Secretary of the HHS – 45 C.F.R. § 164.408

Along with the monetary penalty, OSU-CHS has agreed to implement a corrective motion plan to resolve all areas of non-compliance recognized by OCR and will probably be intently monitored for compliance with the corrective motion plan and the HIPAA Guidelines for 2 years. The case was settled with no admission of legal responsibility or wrongdoing.

“HIPAA-covered entities are susceptible to cyber-attackers in the event that they fail to know the place ePHI is saved of their data techniques,” stated OCR Director Lisa J. Pino. “Efficient cybersecurity begins with an correct and thorough danger evaluation and implementing all the Safety Rule necessities.”

That is the fifth monetary penalty to be imposed by OCR in 2022 to resolve HIPAA violations, and the 111^th penalty to be imposed since OCR was given the authority to superb HIPAA-regulated entities for HIPAA violations.