Academic Health Center Settles Alleged HIPAA Violations With $2.7 Million Penalty
Business Law Articles
View more from News & Articles or Primerus Weekly
By Carol A. Hyde
Oregon Health & Science University (OHSU), Oregon’s only academic health center comprising two hospitals and multiple general and specialty clinics, has agreed to pay a penalty of $2.7 million to settle alleged HIPAA violations.
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) commenced an investigation after OHSU submitted multiple breach reports impacting thousands of individuals. OCR uncovered evidence of widespread vulnerabilities within the health care system’s HIPAA compliance program, and OCR’s findings provide a virtual checklist of what a HIPAA covered entity or business associate should not do. Specifically, OCR found that OHSU:
In addition to the penalty, OHSU has signed a HIPAA resolution agreement and will participate in a comprehensive three-year corrective action plan with the HHS Office for Civil Rights. OHSU did not admit liability. A copy of the resolution agreement and corrective action plan can be found at this link: http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/ohsu/index.html
OCR is stepping up its attention to business associate agreements. Health care organizations must establish, maintain and monitor a comprehensive vendor management program with due diligence on potential business associates in advance and during the contract term.