I hate change. I especially hate change when it comes to my technology. I reach a stable state with my computer network, which permits me to achieve great efficiency, but when I change one thing, something else changes that I didn’t intend. Soon, I am spending hundreds of dollars to get back to a stable state. As an attorney who specializes in HIPAA compliance, though, I remind myself change should be carefully managed. When it comes to the confidential information of patients or bank customers, Federal and state law require that it be managed. St. Joseph Health, a Catholic healthcare chain in California, New Mexico and Texas, found this out the hard way in October 2016 when the US Department of Health and Human Services (HHS) assessed a $2,140,500 settlement after St. Joseph’s left the personal health care information of 31,800 individuals publicly exposed to Internet searches on a new computer server that it added to its network. The problem was not that the information was accessed, but that it could have been. This sensitive personal information (SPI) was open to the Internet for more than a year before St. Joseph’s found the problem. The technical mistake was a simple error anyone could make. The server St. Joseph’s purchased “included a file sharing application whose default settings allowed anyone with an Internet connection to access them,” according to the HHS Resolution Agreement.

HHS Finds Additional Violations St. Joseph corrected the situation and self-reported to HHS. When HHS studied the problem further, it discovered that St. Joseph’s had not conducted an enterprise-wide risk analysis of the privacy and security of the patient data entrusted to it in six years. Instead, it had assessed itself “in a patchwork manner.” Comprehensive risk assessments are required by the Health Insurance Portability and Accountability Act (“HIPAA”). In the settlement with St. Joseph’s, HHS explained the scope of what is required of an entity which creates or holds protected healthcare information about individuals. It must do “an accurate and thorough enterprise-wide risk analysis of security risks and vulnerabilities that incorporates all electronic equipment, data systems, and applications controlled, administered and owned by [the covered entity], its workforce members, and affiliated staff that contains, stores, transmits, or receives electronic protected heath information (ePHI) for review” and develop “a complete inventory of all electronic equipment, data systems, and applications that contain or store ePHI, which [must] be incorporated in its risk analysis.” There are two unmistakable lessons from St. Joseph’s recent HIPAA settlement with HHS. First, entities managing electronic health information must incorporate security and privacy concerns in everything they do, even something as mundane as adding a server to the network. Each healthcare organization needs a Change Management Policy affecting information technology which embodies a deep and thorough awareness and commitment to the confidentiality of patient information. Second, these entities need to look frequently at their entire systems to make sure that these commitments are implemented in every action of the organization. Looking at this or that process or system must resolve into a current and comprehensive systematic evaluation.

Healthcare Organizations To Outsources Solutions Most healthcare providers will find that outsourcing IT functions like the ones discussed in this case to a managed I.T. services company experienced in HIPAA compliance is not only less expensive than hiring compliance specialists, but they’ll benefit from many years of experience across hundreds of healthcare organizations, not just their own.