Oregon Health & Science University (OHSU) in Portland has agreed to settle potential Health Insurance Portability and Accountability Act violations with a $2.7 million fine after an investigation by the Office for Civil Rights (OCR) found “widespread and diverse problems” at OHSU.
OHSU must adhere to a three-year corrective action plan.
The investigation was prompted when OHSU submitted multiple breach reports affecting thousands, including two reports involving unencrypted laptops and another large breach involving a stolen unencrypted thumb drive.
OCR’s investigation uncovered evidence of “widespread vulnerabilities” within OHSU’s compliance program, including storage of the electronic protected health information (ePHI) of more than 3,000 individuals on a cloud-based server without a business associate agreement. The resolution agreement and corrective action plan are available to readers online at http://bit.ly/29PjtTf.