Privacy and cybersecurity is at the forefront of everyone’s mind these days and, in 2018, the Office for Civil Rights (“OCR”) settled ten cases and prevailed in another before an Administrative Law Judge to the tune of $28,700,000. This is a new record for OCR, besting 2016 by over $5,000,000. The latest settlement clocked in at $3,000,000, owed by a health system in California that experienced two breaches of electronic protected health information (“ePHI”), which affected 62,500 individuals.  The first breach involved a security configuration where persons could access files with ePHI without a username or password, thereby making ePHI available to anyone with access to the health system’s server.  The second breach involved a server misconfiguration, exposing the health system’s ePHI over the internet, including social security numbers and treatment information.

In its investigation, OCR uncovered that the health system: (1) failed to conduct a thorough security assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of the ePHI maintained on its system; (2) failed to perform technical and non-technical evaluations in response to environmental or operational changes affecting the ePHI; and (3) failed to obtain a written business associate agreement with a contractor that maintained ePHI for it.

There are a couple of takeaways from this latest OCR settlement.  First, all covered entities should ensure that they have conducted a recent security assessment of their systems, to identify and understand the risks and vulnerabilities to ePHI.  Covered entities need to conduct these security assessments periodically, especially as entities make changes to their computer systems and vendors, including their electronic health record systems.  Second, all covered entities should conduct a business associate audit, examining their vendor contracts and ensuring that a business associate agreement is in place with any vendor that will receive, maintain, or transmit PHI or ePHI on behalf of the covered entity.