Menu Close

Recent HIPAA Settlements Highlight Need for Risk Analysis

Posted in Electronic Health Records, HIPAA and the HITECH Act, Hospitals and Institutions, Privacy and Data Protection, Private Insurers, State Matters

This week, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced that the University of Washington School of Medicine (UWM) agreed to pay $750,000 to resolve allegations that the school failed to adequately protect electronic patient records in violation of HIPAA. The settlement was based on a breach involving a malware attack initiated through an employee’s email that exposed the private information of about 90,000 patients. The OCR’s continuing concern about the lack of appropriate risk analysis was reflected in a statement by its Director: “All too often we see covered entities with a limited risk analysis that focuses on a specific system such as the electronic medical record or that fails to provide appropriate oversight and accountability for all parts of the enterprise.”

The UWM settlement came two weeks after OCR announced a $3.5 million settlement with a Puerto Rican insurance management company, Triple-S, over allegations concerning the company’s widespread failures to protect not only digital but physical records. Among other findings, the OCR cited Triple-S for “failure to conduct an accurate and thorough risk analysis that incorporates all IT equipment, applications, and data systems utilizing ePHI.” The Triple-S settlement was previously discussed here.

Continuing the theme, in November, the Lahey Hospital and Medical Center agreed to pay $850,000 to resolve an OCR investigation over a stolen laptop that held data on about 600 patients. Again, the OCR cited at the top of its list, “Failure to conduct a thorough risk analysis of all of its ePHI.”

Covered Entities should heed the OCR’s warnings and ensure that they complete an appropriate risk assessment. Click here for information on Day Pitney’s simple-to-use HIPAA self-assessment tool which is based on OCR’s audit protocol.

Leave a Reply

Your email address will not be published. Required fields are marked *