$2.75 Million OCR Settlement Underscores the Importance of Risk Management and Analysis


[co-author: Peter B. Steffensen]

How the theft of a single password-protected laptop turned into an enterprise-wide review of an organization’s data protection practices.

Following the announcement of a recent settlement between the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) and Catholic Health Care Services, OCR has announced another significant settlement agreement and corrective action plan (CAP), this time with the University of Mississippi Medical Center (UMMC). The agreement imposes a $2,750,000 penalty and three-year CAP on the Jackson-based medical center, one of the few public academic medical centers in the state.

OCR began investigating UMMC following a March 2013 incident involving the disappearance of a laptop containing the ePHI of approximately 10,000 patients from UMMC’s Medical Intensive Care Unit. The resulting OCR inquiry into the medical center’s compliance with HIPAA regulations uncovered a number of violations, including the failure to:

  • Implement policies and procedures to adequately anticipate and protect against security vulnerabilities;
  • Secure ePHI-accessible workstations with physical safeguards that would limit access to authorized users;
  • Institute unique user IDs that could track individual employee access to ePHI; and
  • Directly notify individuals whose unsecured ePHI may have been accessed, despite providing substitute notice on its website and in local media.

In addition to the substantial monetary penalty assessed against UMMC, the medical center consented to a three-year CAP mandating a host of internal modifications to UMMC’s data security practices. These requirements include installing a monitor to observe and report on the medical center’s compliance with the CAP, performing a risk analysis and developing a new risk management plan to address the security vulnerabilities identified by OCR, rolling out a unique user identification system to adequately track individuals with ePHI privileges, conducting security awareness training for employees with access to ePHI, and providing annual compliance reports to OCR.

The UMMC settlement highlights how tugging at the thread can unravel the sweater. Here OCR’s investigation, triggered following the theft of a single password-protected laptop, turned into an enterprise-wide review of UMMC’s data protection practices. The resulting settlement reinforces the need for covered entities to address potential security vulnerabilities, and to ensure that a simple problem does not balloon into substantial liability for the organization.

It is crucial that organizations routinely conduct risk analyses and implement any necessary remediation measures through corresponding risk management plans.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© BakerHostetler | Attorney Advertising

Written by:


BakerHostetler on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.