University with Multiple Covered Entity Components Enters Into $750,000 HIPAA Settlement

Saul Ewing LLP
Contact

Summary

On December 14, 2015, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced a $750,000 settlement with the University of Washington (UW). This is the third HIPAA settlement announced by OCR within the last month. The UW settlement highlights the following two points: (1) it is essential that an institution understand which of its affiliates and/or components that provide health care services are “covered entities” under HIPAA, and (2) those institutions with multiple covered entity components must ensure that all of those components are vigorous with respect to HIPAA compliance.

According to the OCR Settlement Agreement, UW has multiple affiliated covered entity components, including an academic medical center and various outpatient clinics.

OCR’s investigation of UW was initiated by UW’s voluntary notice in November, 2013 to OCR of a breach of unsecured electronic protected health information (e-PHI) affecting approximately 90,000 individuals. The e-PHI of these individuals was accessed after a UW employee downloaded an e-mail attachment containing malicious malware, which compromised UW’s IT system.

OCR’s investigation revealed that while UW’s HIPAA security policies required all of its affiliated entities to have up-to-date, documented risk assessments, UW did not ensure that all of those affiliated entities were properly conducting risk assessments and appropriately responding to potential risks and vulnerabilities.

In addition to the $750,000 payment, UW and OCR entered into a two-year Corrective Action Plan (CAP) as part of the settlement. Under the terms of the CAP, UW is required to:

  • Submit a comprehensive risk analysis to OCR and review the risk analysis at least annually;
  • Provide OCR with a risk management plan to address identified risks;
  • Complete a structural reorganization of its compliance program within 180 days; and
  • During the term of the CAP, submit an annual report to OCR with respect to the status of and findings regarding UW’s compliance with the CAP.

A copy of the Resolution Agreement and CAP is available here.

In light of the rigorous HIPAA enforcement activity by OCR and the significant payments and corrective actions required, institutions should make sure they know at all times (i) which of their affiliates or components are providing health care services, (ii) whether those health care providers are covered entities subject to HIPAA; and (iii) that the entity or institution oversees HIPAA compliance with respect to each of these components. Further, covered entities and business associates should review their HIPAA privacy and security rule compliance programs, including their risk assessments and risk management plans. If those programs, risk assessments or risk management plans have not been completed recently, or not been completed at all, institutions should immediately complete these tasks.

The UW settlement is an example of OCR’s recent emphasis on HIPAA security rule enforcement. Saul Ewing will continue to monitor future HIPAA enforcement by OCR. The Firm has written extensively about OCR enforcement activities, including:

Stolen, Unencrypted Laptop Leads to $850,000 Settlement and Comprehensive Corrective Action Plan for Massachusetts Teaching Hospital 

Reports Instruct Office of Civil Rights to Increase HIPAA Enforcement Activities

$750,000 Settlement Agreement Reiterates Importance of HIPAA Security Rule Compliance

View Document(s):

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Saul Ewing LLP | Attorney Advertising

Written by:

Saul Ewing LLP
Contact
more
less

Saul Ewing LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide