Senior Communications Manager
Kirk Nahra Comments on OHSU’s Recent HIPAA Settlement
Kirk J. Nahra, chair of Wiley Rein’s Privacy Practice and co-chair of the Health Care Practice, was quoted in a July 15 Healthcare Info Security article about the recent Health Insurance Portability and Accountability Act (HIPAA) settlement with Oregon Health & Science University (OHSU), following two breaches in 2013 that together affected more than 7,000 individuals. The first breach involved an unencrypted laptop that was stolen from a surgeon’s vacation rental home in Hawaii. The second breach involved OHSU’s use of a cloud storage service without a business associate agreement. As part of its resolution agreement with the U. S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR), OHSU agreed to pay federal regulators $2.7 million and will adopt a three-year corrective action plan.
Mr. Nahra believes the large financial penalty for these relatively small breaches is likely due to the fact that OHSU had previously reported other breaches to OCR, including the 2012 theft of an unencrypted USB drive from the home of an OHSU employee, which contained the personal health information of 14,000 pediatric patients. “I presume that the history here mattered more than the volume of individuals affected by the breaches at the center of the OHSU resolution agreement,” Nahra says.
According to the article, this settlement came following new ransomware guidance and the announcement of 167 covered entities being chosen for desk audits in phase two of OCR’s HIPAA compliance audit program. Despite the timing, Mr. Nahra sees “this activity as mainly a coincidence, not more than that.”
To read the full article, please click here.