Most health system governing boards have some basic awareness of the cybersecurity issues that confront their organizations. Two recent developments serve to confirm the significance of those risks, and help to underscore the board’s critical oversight obligations in the area.

The first development is the July 18 agreement by which Oregon Health & Science University settled potential HIPAA violations through a monetary payment of $2,700,000 by OHSU to the Department of Health and Human Services. The settlement was prompted by an HHS Office of Civil Rights investigation that found widespread and diverse problems at OHSU. OCR’s investigation began after OHSU submitted multiple breach reports affecting thousands of individuals, including two reports involving unencrypted laptops and another large breach involving a stolen unencrypted thumb drive.  The investigation ultimately uncovered evidence of widespread vulnerabilities within OHSU’s HIPAA compliance program. The cited problems will be addressed through a comprehensive three-year corrective action plan. Notably, in its press release announcing the settlement, OCR was highly critical of OHSU’s security management processes.  “This settlement underscores the importance of leadership engagement and why it is so critical for the C-suite to take HIPAA compliance seriously.”

Of similar board oversight relevance is the August 4, 2016, settlement between Advocate Health Care Network and the OCR for multiple potential HIPAA penalties involving ePHI. Advocate will pay a settlement amount of $5.55 million and adopt a corrective action plan. According to OCR’s press release, the penalty is the largest to-date against a single entity, and reflects the extent and duration of the alleged noncompliance. As with the OHSU settlement, the OCR press release contains something of a warning from OCR Director Jocelyn Samuels: “We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure.”