On July 21, 2016, the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) announced a settlement with the University of Mississippi Medical Center (UMMC), stemming from a 2013 breach of electronic personal health information (ePHI) affecting approximately 10,000 patients.  The terms of the settlement require UMMC to pay a $2.75 million fine for alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as well as implement a three-year corrective action plan to reform its privacy and data security protocols.

This investigation originated from a March 2013 incident in which a laptop containing patient information was reported missing from UMMC’s intensive care unit.  The university believes that the computer was probably stolen by a hospital visitor who had previously asked to use it.  OCR determined that UMMC lacked several critical institutional policies and infrastructural protections to prevent or mitigate harm caused by data breaches, ranging from the use of unsophisticated, generic usernames and passwords to log on to workstations, no firewall to prevent individuals with basic access to those laptops from reaching the patient database and other sensitive files on UMMC’s network, and no effective tracking mechanism to identify when and by whom data has been accessed.  In addition, HHS found that UMMC’s method of notifying the approximately 10,000 patients whose data was available on the missing laptop was inadequate – instead of sending individual notifications regarding the data breach and the risk of potentially compromised PHI to affected persons, UMMC relied on use of local media and a posting on its website to notify the public of the incident.

During its investigation, OCR also determined that UMMC had knowledge of risk factors and vulnerabilities in its data security and privacy policies as early as 2005, but had not taken sufficient action to institute procedures that would bring the medical center into compliance with the HIPAA Privacy, Security, and Breach Notification Rules “due largely to organizational deficiencies and insufficient institutional oversight.”

This settlement is the second HIPAA enforcement action announced by OCR in recent weeks.  On July 18, the agency also announced its intent to settle an investigation of potential HIPAA violations at the Oregon Health & Science University (OHSU).  In that settlement, the university agreed to pay a $2.7 million fine and institute a three-year corrective action plan after OCR determined that four breaches from 2012-2013, resulting from improper access to laptops and USB drives that were ultimately lost or stolen, compromised PHI of more than 3,000 individuals.

OCR’s press release regarding the UMMC settlement can be found here.  The terms of the settlement, including the corrective action plan, can be found here.