Stay ahead of developments in federal and state health care law, regulation and transactions with timely, expert news and analysis.
By James Swann
Dec. 14 — University of Washington Medicine reached a $750,000 settlement with the federal government to resolve allegations it violated the Health Insurance Portability and Accountability Act Security Rule, the government said Dec. 14.
The Department of Health and Human Services Office for Civil Rights began investigating UWM after receiving a November 2013 report of a breach that affected the electronic protected health information (PHI) of roughly 90,000 patients.
The OCR investigation found that UWM had failed to implement any policies and procedures focused on detecting and preventing data breaches and hadn't performed an organizationwide data security risk analysis.
UWM operates four hospitals in the Seattle area and is part of the University of Washington system.
In addition to the $750,000 penalty, UWM entered into a two-year corrective action plan with the OCR that included requirements to conduct an organizationwide risk analysis and create a risk management plan.
“All too often we see covered entities with a limited risk analysis that focuses on a specific system such as the electronic medical record or that fails to provide appropriate oversight and accountability for all parts of the enterprise,” OCR Director Jocelyn Samuels said in a Dec. 14 statement.
The settlement wasn't an admission of liability by UWM, nor was it a concession by the OCR that UWM wasn't in violation of the HIPAA rules.
The 2013 data breach occurred after a UWM employee downloaded a malware attachment that infected the organization's entire information technology system. Roughly 76,000 of the breached patient records included patient names and dates of services, while the remaining 15,000 records contained patient names as well as Social Security and Medicare numbers.
In addition to the risk analysis and risk management plan, UWM must notify the OCR on progress reorganizing its compliance program, and must report any HIPAA noncompliance to the OCR within 30 days of identifying it.
UWM is also required to submit an annual report to the OCR documenting compliance with the terms of the corrective action plan.
The annual report must include:
To contact the reporter on this story: James Swann in Washington at email@example.com
To contact the editor responsible for this story: Janey Cohen at firstname.lastname@example.org
Notify me when updates are available (No standing order will be created).
Put me on standing order
Notify me when new releases are available (no standing order will be created)