Slammed For $2.7 Million: What We Can Learn About Managing Business Associates

When it comes to compliance violations, incorrectly managing Business Associates is often the culprit behind larger compliance violations. While new laws put significant responsibilities on the Business Associate themselves, it’s still your patients’ PHI to protect (along with your reputation).

Of course you want to prevent compliance violations, but how can you effectively manage your Business Associates without it taking over your life? Luckily, it’s doable. You can learn the right and wrong way to manage your BAs from other entities’ settlements and corrective action plans.

To learn how you can use the case studies below to improve your own compliance program, tune in to our free webinar, "Failure to Comply: Examples of Business Associates Gone Wrong."

Webinar Details >>

OHSU Nailed: Settles for 2.7 Million Dollars 

“OHSU should have addressed the lack of business associate agreement before allowing a vendor to store ePHI. This settlement underscores the importance of leadership engagement and why it is so important for C-suite to take HIPAA compliance seriously.” -Jocelyn Samuels, Director of HHS OCR.

Oregon Health & Science University (OHSU), a public academic health center and research university centered in Portland, Oregon, has recently settled for 2.7 million dollars for the potential violations of the HIPAA act Privacy and Security Rules following an investigation by the HHS OCR. The many compliance issues will also be tackled through a 3 year corrective action plan.

OCR’s investigation began after OHSU submitted breach reports, two which involved unencrypted laptops and another that involved a stolen thumb drive. OCR discovered evidence of widespread vulnerabilities within OHSU’s HIPAA compliance program. Residents using Google docs to store some documents containing PHI of over 3,000 individuals (1,361 of which had sensitive diagnosis) with a Business Associate Agreement in place with Google.

Surprisingly, OHSU performed risk analyses almost every other year from 2003-2013, but the analysis they conducted did not include all of the ePHI in OHSU’s enterprise, as required by the Security Rule. Vulnerabilities were discovered, but OHSU didn’t resolve the issues in a timely manner. According to the HHS.gov website, “OHSU also lacked policies and procedures to prevent, detect, contain, and correct security violations and failed to implement a mechanism to encrypt and decrypt ePHI or an equivalent alternative measure for ePHI maintained on its workstations, despite having identified this lack of encryption as a risk.”

To learn how you can use the case studies below to improve your own compliance program, tune in to our free webinar, "Failure to Comply: Examples of Business Associates Gone Wrong."

Questions or Comments?