Oregon Health & Science University (OHSU) has agreed to settle alleged HIPAA violations involving two separate data breaches with the Office for Civil Rights (OCR) for $2.7 million.

In the span of three months in 2013, OHSU experienced two reportable data breaches, which triggered investigations by the OCR.

The first occurred when an unencrypted laptop containing the PHI of 4022 patients was stolen from the vacation property of a physician in Hawaii.

The second occurred when physicians used a cloud storage service to share a spreadsheet that contained PHI of 3,044 patients. However, no business associate agreement was put in place prior to using the cloud service and sending the PHI, which, according to the OCR “put the data at risk.”

This guidance from the OCR along with the hefty fines provide strong incentives to encrypt laptops and put effective processes in place for business associate management. Informing physicians and staff about HIPAA requirements and the use of cloud vendors and other third party service providers is key so they understand the risks and are aware of the business associate management program of your entity.