OCR Settlement: Risk Assessment Required Prior to Using ePHI Cloud Storage

by Leonardo M. Tamburello

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a resolution agreement with a major tertiary-care hospital that provided both inpatient and outpatient care (the “Hospital”) stemming from the Hospital’s use of “cloud” document storage of ePHI and a separate breach involving a laptop and USB drive.

In 2012, workforce members reported to OCR that the Hospital was using an internet-based document sharing application to store documents containing ePHI of at least 498 individuals and that the Hospital had not first analyzed the risks associated with this “software as a service.” OCR’s subsequent investigation determined that the Hospital failed to timely identify and respond to one security incident, mitigate its harmful effects, and document its outcome, all of which are required by HIPAA.

“Organizations must pay particular attention to HIPAA’s requirements when using internet-based document sharing applications,” said OCR Director Jocelyn Samuels. “In order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner.”

Approximately two years later, in 2014, the Hospital notified OCR regarding a separate breach of unsecured ePHI stored on a workforce member’s personal laptop and USB drive, affecting 595 individuals.

On July 10, 2015, OCR announced that it and the Hospital agreed to a $218,400 settlement and implementation of a corrective plan of action as a result of these breaches which affected nearly 1,100 individuals in total.

This settlement agreement is significant for several reasons: first, it encompasses more than one breach. Although it had been widely believed that OCR would deal with multiple breaches from a single entity in a consolidated fashion, this is the first time that has actually occurred. Secondly, OCR’s investigation into the document sharing breach was prompted by reports from the Hospital’s workforce members.

That these employees reported privacy concerns to the government rather than the Hospital suggests that they were unaware, unwilling, or unable to share these concerns with the Hospital’s Privacy Officer. This could be indicative of a serious, fundamental breakdown of the privacy program at the Hospital. Third, the settlement here highlights the importance of first conducting a thorough risk assessment prior to implementing cloud-based storage or other “software as a service” programs when handling ePHI.

The full Resolution Agreement can be found at this link to the OCR website