Blog: University of Washington Medicine Agrees to Settle Alleged HIPAA Breach

Cooley LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Last week, the University of Washington Medicine (UWM), an affiliated covered entity that includes multiple entities such as the University of Washington Medical Center, agreed to settle alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) by paying $750,000 and implementing a substantial corrective action plan.

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) initiated its investigation into UWM following receipt of a HIPAA breach notification from UWM in November 2013.  At that time, UWM discovered that an employee had downloaded an email attachment containing malicious malware, which led to the improper access of the electronic Protected Health Information (ePHI) of approximately 90,000 individuals.  Certain patients had information including Social Security numbers compromised.  OCR’s investigation revealed that UWM had failed to ensure that all of its affiliated entities were conducting risk assessments as required by HIPAA and appropriately implementing corrective action in response to identified vulnerabilities.

In order to settle the alleged HIPAA violations, UWM agreed to pay $750,000 and also agreed to enter into a corrective action plan that will remain in effect for 2 years.  Pursuant to the corrective action plan, UWM must develop a thorough risk analysis of vulnerabilities facing all affiliated UWM facilities and submit such analysis to OCR for its review and approval.  UWM is further obligated to develop a risk management plan, also to be reviewed and approved by OCR, and to reorganize its compliance program to ensure it meets the requirements specified by the HIPAA Security Rule.

OCR Director Jocelyn Samuels used this settlement to highlight the importance of risk assessments in HIPAA compliance.  She stated that “all too often we see covered entities with a limited risk analysis that focuses on a specific system such as the electronic medical record or that fails to provide appropriate oversight and accountability for all parts of the enterprise.  An effective risk analysis is one that is comprehensive in scope and is conducted across the organization to sufficiently address the risks and vulnerabilities to patient data.”  It is important for both covered entities and business associates to note that risk analyses must be documented, comprehensive, and conducted on a regular basis.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Cooley LLP | Attorney Advertising

Written by:

Cooley LLP
Cooley LLP
Contact
more
less

Cooley LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide