[co-author: Peter B. Steffensen]
How the theft of a single password-protected laptop turned into an enterprise-wide review of an organization’s data protection practices.
Following the announcement of a recent settlement between the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) and Catholic Health Care Services, OCR has announced another significant settlement agreement and corrective action plan (CAP), this time with the University of Mississippi Medical Center (UMMC). The agreement imposes a $2,750,000 penalty and three-year CAP on the Jackson-based medical center, one of the few public academic medical centers in the state.
OCR began investigating UMMC following a March 2013 incident involving the disappearance of a laptop containing the ePHI of approximately 10,000 patients from UMMC’s Medical Intensive Care Unit. The resulting OCR inquiry into the medical center’s compliance with HIPAA regulations uncovered a number of violations, including the failure to:
Implement policies and procedures to adequately anticipate and protect against security vulnerabilities;
Secure ePHI-accessible workstations with physical safeguards that would limit access to authorized users;
Institute unique user IDs that could track individual employee access to ePHI; and
Directly notify individuals whose unsecured ePHI may have been accessed, despite providing substitute notice on its website and in local media.
In addition to the substantial monetary penalty assessed against UMMC, the medical center consented to a three-year CAP mandating a host of internal modifications to UMMC’s data security practices. These requirements include installing a monitor to observe and report on the medical center’s compliance with the CAP, performing a risk analysis and developing a new risk management plan to address the security vulnerabilities identified by OCR, rolling out a unique user identification system to adequately track individuals with ePHI privileges, conducting security awareness training for employees with access to ePHI, and providing annual compliance reports to OCR.
The UMMC settlement highlights how tugging at the thread can unravel the sweater. Here OCR’s investigation, triggered following the theft of a single password-protected laptop, turned into an enterprise-wide review of UMMC’s data protection practices. The resulting settlement reinforces the need for covered entities to address potential security vulnerabilities, and to ensure that a simple problem does not balloon into substantial liability for the organization.
It is crucial that organizations routinely conduct risk analyses and implement any necessary remediation measures through corresponding risk management plans.