Univ. of Washington Settles Over Potential HIPAA Violations

Stay ahead of developments in federal and state health care law, regulation and transactions with timely, expert news and analysis.

By James Swann

Dec. 14 — University of Washington Medicine reached a $750,000 settlement with the federal government to resolve allegations it violated the Health Insurance Portability and Accountability Act Security Rule, the government said Dec. 14.

The Department of Health and Human Services Office for Civil Rights began investigating UWM after receiving a November 2013 report of a breach that affected the electronic protected health information (PHI) of roughly 90,000 patients.

The OCR investigation found that UWM had failed to implement any policies and procedures focused on detecting and preventing data breaches and hadn't performed an organizationwide data security risk analysis.

UWM operates four hospitals in the Seattle area and is part of the University of Washington system.

In addition to the $750,000 penalty, UWM entered into a two-year corrective action plan with the OCR that included requirements to conduct an organizationwide risk analysis and create a risk management plan.

“All too often we see covered entities with a limited risk analysis that focuses on a specific system such as the electronic medical record or that fails to provide appropriate oversight and accountability for all parts of the enterprise,” OCR Director Jocelyn Samuels said in a Dec. 14 statement.

The settlement wasn't an admission of liability by UWM, nor was it a concession by the OCR that UWM wasn't in violation of the HIPAA rules.

The 2013 data breach occurred after a UWM employee downloaded a malware attachment that infected the organization's entire information technology system. Roughly 76,000 of the breached patient records included patient names and dates of services, while the remaining 15,000 records contained patient names as well as Social Security and Medicare numbers.

Corrective Action Plan

In addition to the risk analysis and risk management plan, UWM must notify the OCR on progress reorganizing its compliance program, and must report any HIPAA noncompliance to the OCR within 30 days of identifying it.

UWM is also required to submit an annual report to the OCR documenting compliance with the terms of the corrective action plan.

The annual report must include:

• a list of any security measures implemented by UWM over the course of the year;
• a listing of all HIPAA noncompliant behavior that occurred over the course of the year;
• a signed attestation from a UWM executive that the organization has complied with the terms of the corrective action plan; and
• a signed attestation from a UWM executive that the annual report is accurate.


To contact the reporter on this story: James Swann in Washington at jswann1@bna.com

To contact the editor responsible for this story: Janey Cohen at jcohen@bna.com

Request Health Care on Bloomberg Law