OCR Enters into a $750,000 HIPAA Settlement for Organization’s Failure to Implement Effective Policies and Procedures

The HHS Office for Civil Rights (OCR) has entered into a settlement agreement with the University of Washington Medicine (UWM) to resolve a potential violation of the HIPAA Security Rule for failing to implement policies and procedures to prevent, detect, contain, and correct security issues. UWM is a primary teaching hospital of the University of Washington School of Medicine. The settlement includes a monetary payment of $750,000, a corrective action plan, and annual reports on the organization’s compliance efforts.

OCR acted following receipt of a breach report, which indicated that the electronic protected health information (e-PHI) of approximately 90,000 individuals was accessed after an employee downloaded an email attachment containing malicious malware. The attachment compromised the IT system, affecting (1) the names, medical record numbers, dates of service, and/or charges or bill balances of approximate 76,000 patients; and (2) the names, medical record numbers, and other demographics such as address, phone number, dates of birth, charges or bill balances, social security numbers, and insurance identification or Medicare numbers of approximately 15,000 patients.

Security policies required UWM’s affiliated entities to have up-to-date, documented system-level risk assessments and to implement safeguards in compliance with the HIPAA Security Rule. However, they did not ensure that all affiliated entities were properly conducting risk assessments and appropriately responding to the potential risks and vulnerabilities in their respective environments. OCR noted:

“All too often we see covered entities with a limited risk analysis that focuses on a specific system such as the electronic medical record or that fails to provide appropriate oversight and accountability for all parts of the enterprise… [a]n effective risk analysis is one that is comprehensive in scope and is conducted across the organization to sufficiently address the risks and vulnerabilities to patient data.”

Lessons Learned

1. Ensure that HIPAA Privacy and Security Officers have developed and implemented all the necessary policies and procedures.
2. As part of ongoing monitoring, ensure the HIPAA Privacy and Security Officers are verifying that policies are followed properly through periodic risk assessments.
3. Ensure an independent Ongoing Auditing to verify that Privacy and Security Officers are meeting their obligations. Also validate the effectiveness of internal controls, policies, and procedures, and ensure that identified risks have been properly addressed.
4. Ensure that the hotline is set up to receive HIPAA-related calls.
5. Ensure that the hotline is properly posted to permit reporting of potential HIPAA violations.
6. Verify that the Code of Conduct covers reporting HIPAA violations and that employees are trained on reporting HIPAA violations.
7. Determine that all complaints, allegations, and reports of potential non-compliance have been investigated thoroughly and that all findings acted upon in a timely fashion.

HHS offers guidance on how organizations can conduct a HIPAA risk analysis.

To learn more about non-discrimination and health information privacy laws, civil rights, and privacy rights in health care and human service settings, and to find information on filing a complaint, visit the OCR website.