This week, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced that the University of Washington School of Medicine (UWM) agreed to pay $750,000 to resolve allegations that the school failed to adequately protect electronic patient records in violation of HIPAA. The settlement was based on a breach involving a malware attack initiated through an employees email that exposed the private information of about 90,000 patients. The OCRs continuing concern about the lack of appropriate risk analysis was reflected in a statement by its Director: All too often we see covered entities with a limited risk analysis that focuses on a specific system such as the electronic medical record or that fails to provide appropriate oversight and accountability for all parts of the enterprise.
The UWM settlement came two weeks after OCR announced a $3.5 million settlement with a Puerto Rican insurance management company, Triple-S, over allegations concerning the companys widespread failures to protect not only digital but physical records. Among other findings, the OCR cited Triple-S for failure to conduct an accurate and thorough risk analysis that incorporates all IT equipment, applications, and data systems utilizing ePHI. The Triple-S settlement was previously discussed here.
Continuing the theme, in November, the Lahey Hospital and Medical Center agreed to pay $850,000 to resolve an OCR investigation over a stolen laptop that held data on about 600 patients. Again, the OCR cited at the top of its list, Failure to conduct a thorough risk analysis of all of its ePHI.
Covered Entities should heed the OCRs warnings and ensure that they complete an appropriate risk assessment. Click here for information on Day Pitneys simple-to-use HIPAA self-assessment tool which is based on OCRs audit protocol.
