In January 2018, Oklahoma State University – Center for Health Sciences (OSU-CHS) reported a breach of protected health information (PHI) to the United States Department of Health and Human Services, Office for Civil Rights (OCR). The breach resulted from an unauthorized third party gaining access to an OSU-CHS web server, which affected 279,865 individuals. The folders stored on the web server contained PHI, including patients' names, Medicaid numbers, dates of birth, addresses, treatment information, and others.
On December 16, 2021, OCR and OSU-CHS entered into a Resolution Agreement and Corrective Action Plan, resolving the potential violations of the HIPAA Rules related to the breach. OSU-CHS agreed to pay a Resolution Amount of $875,000 to HHS by May 20, 2022. Additionally, OSU-CHS agreed to comply with the Corrective Action Plan (CAP) attached to the Agreement by reference.
The CAP requires OSU-CHS to take several steps to ensure compliance with the HIPAA Rules. These steps include conducting a comprehensive risk analysis, developing, and implementing a risk management plan, reviewing and revising policies and procedures related to the HIPAA Rules, and providing training to its workforce members on the HIPAA Rules.
The Agreement did not constitute an admission of liability by OSU-CHS or a concession by HHS that OSU-CHS is not in violation of the HIPAA Rules and not liable for civil money penalties (CMPs).
This Resolution Agreement and Corrective Action Plan serve as a reminder to all Covered Entities and Business Associates to ensure compliance with the HIPAA Rules, including the Privacy Rule, the Security Rule, and the Breach Notification Rule.
Covered Entities and Business Associates must conduct regular risk assessments and implement appropriate administrative, physical, and technical safeguards to protect PHI. Furthermore, Covered Entities and Business Associates must have policies and procedures in place for responding to security incidents and breaches of PHI.
In conclusion, the OCR and OSU-CHS have entered into a Resolution Agreement and Corrective Action Plan to resolve potential HIPAA compliance violations related to a breach of PHI. Covered Entities and Business Associates must ensure compliance with the HIPAA Rules, including conducting regular risk assessments and implementing appropriate safeguards to protect PHI. Failure to do so can result in significant penalties and other legal consequences.