OHSU has signed a resolution agreement with the U.S. Department of Health and Human Services Office for Civil Rights following an investigation of two breaches of electronic protected health information that occurred in 2013. The first incident involved a stolen laptop and the second resulted from the use of an internet-based information storage service, or “cloud storage” service, without a business associate agreement. The resolution agreement includes a one-time payment of $2.7 million and a rigorous three-year corrective action plan.
Following an extensive internal investigation in 2013, OHSU reported the breaches to OCR; offered free identity theft protection services to patients at risk for identity theft; established a 1-800-number to answer patient questions and concerns; implemented enhanced computer encryption across the university; and issued press releases outlining the incidents. As of this writing, no harm has been reported by any patients involved (4,022 patients were notified of the stolen laptop incident; 3,044 patient were notified of the cloud storage incident).
Following is a statement from Bridget Barnes, OHSU chief information officer:
“Patient privacy has been and always will be a top priority at OHSU. OHSU is continuously working to improve protection of patient information data in a constantly changing security and technology landscape. The two breaches that occurred in 2013 were stark reminders to OHSU how vigilant we must be. We made significant data security enhancements at the time of the incidents and now are investing at an unprecedented level in proactive measures to further safeguard patient information.
OHSU has long had stringent privacy and security policies in place to prevent disclosures of protected health information, and we will continue to enhance the protections. In the coming weeks, OHSU will engage an external information security consultant and convene a multidisciplinary steering committee from across the university to help us meet the requirements of the corrective action plan.
Over the next few months and beyond, OHSU integrity and information security experts will work with the consultant and our steering committee to identify patient information security risks or vulnerabilities, and make regular reports to OCR, and implement any necessary mitigation strategies.
Patients and health care providers benefit significantly from access to electronic health records and emails from various devices and locations; however, this access comes with new security challenges. In the face of these challenges, OHSU is proactively working to ensure the creation of a sustainable gold standard for protected health information security and HIPAA compliance.”