OCR settled with Cottage Health, who operates California-based Santa Barbara Cottage Hospital, Santa Ynez Cottage Hospital, Goleta Valley Cottage Hospital and Cottage Rehabilitation Hospital. OCR responded to two breach reports affecting over 62,500 patients; one in 2013 and the other in 2015.
OCR holds that Cottage Health failed to:
- conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the ePHI
- implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level
- perform periodic technical and non-technical evaluations in response to environmental or operational changes affecting the security of ePHI; and,
- failed to obtain a written business associate agreement with a contractor that maintained ePHI on its behalf.
Cottage Health is paying a $3M settlement and enter into a three-year corrective action plan. While not (yet) published, we count on Cottage Health to pay a lot more to lawyers, credit monitoring agencies and potentially the public. While this may "just be another settlement" to some people reading this, compliance, security and risk are important business parameters to understand. We are reminded that healthcare comes with significant liabilities and risk, even to those organizations that understand and work hard to comply with HIPAA. Let's work together to keep you off of the OCR Wall of Shame. Click the graphic below if you want to read more about the Cottage Health agreement.