- The University of Washington Medicine (UWM) recently agreed to a $750,000 fine as part of a HIPAA settlement, which was the result of a 2013 incident.
UWM filed a breach report to OCR November 27, 2013, where an email containing malicious malware reportedly compromised 90,000 individuals’ ePHI.
Two different groups of patients were affected, according to an HHS press release. First, approximately 76,000 patients had some combination of names, medical record numbers, dates of service, and/or charges or bill balances affected.
In the other group, approximately 15,000 patients had names, medical record numbers, other demographics such as address and phone number, dates of birth, charges or bill balances, social security numbers, insurance identification or Medicare numbers possibly exposed.
OCR found that UWM “did not ensure that all of its affiliated entities were properly conducting risk assessments and appropriately responding to the potential risks and vulnerabilities in their respective environments.”
“All too often we see covered entities with a limited risk analysis that focuses on a specific system such as the electronic medical record or that fails to provide appropriate oversight and accountability for all parts of the enterprise,” OCR Director Jocelyn Samuels said in a statement. “An effective risk analysis is one that is comprehensive in scope and is conducted across the organization to sufficiently address the risks and vulnerabilities to patient data.”
The OCR resolution agreement adds that along with the monetary penalty, UWM must develop a current, comprehensive and thorough risk analysis. Moreover, the risk analysis needs to be reviewed annually, and will be changed as necessary “in response to environmental or operational changes affecting the security of e-PHI throughout” UWM.
UWM must also provide HHS with a risk management plan and make any changes requested by HHS within 60 days. From there, the revised risk management plan will be sent back to HHS for approval or disapproval. The process will continue until the plan has been approved.
“UW shall promptly implement the Risk Management Plan upon HHS’ final approval in accordance with its applicable administrative procedures,” reads the resolution agreement.
This is just the latest HIPAA settlement reached between OCR and a covered entity.
One of the more expensive fines was recently handed down to Triple-S Management Corporation (TRIPLE-S), totalling $3.5 million.
Several data breaches were reported at TRIPLE-S, or one of its wholly owned subsidiaries, many taking place between 2010 and 2015.
“This case sends an important message for HIPAA Covered Entities not only about compliance with the requirements of the Security Rule, including risk analysis, but compliance with the requirements of the Privacy Rule, including those addressing business associate agreements and the minimum necessary use of protected health information,” Samuels said.
Among other issues, OCR found that TRIPLE-S failed to have the necessary administrative, physical, and technical safeguards to protect PHI, and also “failed to conduct an accurate and thorough risk analysis that incorporates all IT equipment, applications, and data systems utilizing ePHI.”
Lahey Clinic Hospital, Inc. (Lahey) also recently agreed to a HIPAA settlement, which required Lahey to improve its approach to creating a comprehensive and necessary risk analysis.
In that case, a laptop was stolen from an unlocked treatment room “off of the inner corridor” in the hospital’s radiology department on October 11, 2011.
OCR explained that Lahey failed to implement the necessary physical safeguards and “failed to conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI as part of its security management process.”