$750,000 HIPAA Settlement Highlights the Importance of Risk Assessments under HIPAA

By Matthew J. Effken

The U.S. Department of Health and Human Services Office of Civil Rights (OCR) and The University of Washington Medicine (UW Medicine) recently announced an agreement to settle an OCR investigation into a self-reported HIPAA breach involving UW Medicine patient records.  The breach occurred when a UW Medicine staff member opened an e-mail attachment that contained malicious code, allowing outsiders to gain potential access to confidential patient information.  The information compromised included treatment and demographic information such as addresses, dates of birth and social security numbers for over 90,000 UW Medicine patients.

The settlement agreement states that UW Medicine had adopted HIPAA security policies and procedures, but had not assured that its affiliated entities had implemented such procedures.  UW Medicine also failed to conduct comprehensive risk assessments to identify and respond to potential security vulnerabilities.  The result was a $750,000 monetary penalty, plus a Resolution Agreement that requires at least two years of enhanced reporting to OCR.  UW Medicine also agreed to a reorganization of its compliance program.  Failure to comply with the Resolution Agreement may result in the imposition of additional monetary penalties.

OCR Director Jocelyn Samuels commented: “An effective risk analysis is one that is comprehensive in scope and is conducted across the organization to sufficiently address the risks and vulnerabilities to patient data.  All too often we see covered entities with a limited risk analysis that focuses on a specific system such as the electronic medical record or that fails to provide appropriate oversight and accountability for all parts of the enterprise.”

The Resolution Agreement is available on the OCR website at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/uwm/index.html.

© 2015 Vandenack Williams LLC
For more information, Contact Us