On October 18, 2016, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced a settlement with St. Joseph Health (SJH), a California-based health system that encompasses a number of facilities across that state, Texas, and New Mexico, for HIPAA violations.   The SJH agreement marks the 12th OCR settlement this year for HIPAA violations.

SJH notified OCR in February 2012 that files containing electronic protected health information (ePHI) had been publically available on the internet from early 2011.  The data, affecting nearly 32,000 individuals, encompassed various combinations of patient information, including patient names, BMI, blood pressure, lab results, smoking status, diagnoses, medication allergies, advance directives, and demographic information.

The ePHI reportedly become publicly available when SJH introduced a new server to its system. The server, according to the OCR investigation, had a file sharing application “whose default settings allowed anyone with an internet connection to access them.”  OCR’s investigation indicated the following potential HIPAA violations:

  • From February 1, 2011 to February 13, 2012, SJH potentially disclosed the ePHI of 31,800 individuals;
  • Evidence indicated that SJH failed to conduct an evaluation in response to the environmental and operational changes presented by implementation of a new server for its meaningful use project, thereby compromising the security of ePHI;

Although SJH hired a number of contractors to assess the risks and vulnerabilities to the confidentiality, integrity and availability of ePHI held by SJH, evidence indicated that this was conducted in a patchwork fashion and did not result in an enterprise-wide risk analysis, as required by the HIPAA Security Rule.

“Entities must not only conduct a comprehensive risk analysis, but must also evaluate and address potential security risks when implementing enterprise changes impacting ePHI,” said OCR Director Jocelyn Samuels. “The HIPAA Security Rule’s specific requirements to address environmental and operational changes are critical for the protection of patient information.”

In addition to the $2.14 million settlement, SJH entered into a Corrective Action plan that includes conducting an enterprise-wide risk analysis and the development and implementation of a risk management plan. The entire Resolution Agreement and Corrective Action Plan are available here.

As we have noted in prior Alerts, entities covered by HIPAA must implement strong data security safeguards, and in particular, comply with the HIPAA Security Rule to ensure the confidentiality, integrity, and availability of all of the electronic protected health information (ePHI) they create, receive, maintain, or transmit. Covered entities and business associates must exercise due diligence in reviewing their HIPAA compliance programs and conducting system-wide audits of their ePHI safeguards to identify and update areas that may have vulnerability that could put ePHI at risk.

For more information on HIPAA compliance programs, please contact any one of the following attorneys:


Brian Dickerson, FisherBroyles Partner
Brian E. Dickerson
Naples and Washington D.C. Offices

Nicole Waid, FisherBroyles Partner
Nicole Hughes Waid
Naples Office

Anthony Calamunci, FisherBroyles Partner
Anthony J. Calamunci
Cleveland (Toledo Branch), Chicago, Detroit and New York Offices

Amy Butler, FisherBroyles Partner
Amy L. Butler
Cleveland (Toledo Branch), Chicago, Detroit Offices