The University of Washington Medicine has agreed to pay a $750,000 fine stemming from a data breach that occurred back in 2013, disclosing the Protected Health Information (PHI) of some 90,000 patients.
Under the Health Insurance Portability and Accountability Act (HIPAA) of 1996, doctors, chiropractors, dentists, chiropractors and other covered entities are required to conduct regular “risks assessments” to identify potential risks to PHI. The Office for Civil Rights (OCR), however, alleges that the University of Washington Medicine did not properly conduct these risk assessments, placing its patients' data at risk for disclosure.
“All too often we see covered entities with a limited risk analysis that focuses on a specific system such as the electronic medical record or that fails to provide appropriate oversight and accountability for all parts of the enterprise,” said Jocelyn Samuels, director of HHS' Office for Civil Rights in a statement.
So, how did this breach happen? According to various reports, a worker at the University of Washington Medicine unknowingly downloaded an email attachment that contained malware. Once downloaded, the malware spread throughout the school's computer network, stealing patient names, birthdates, addresses, phone numbers, Social Security numbers, health insurance account numbers, and other personally identifiable information.
HIPAA requires both covered entities and their businesses associates to have policies and procedures in place to protect their patients' data from unauthorized use or disclosure. After launching an investigation, the OCR found that the University of Washington Medicine did not have ensure that its business associates were conducting routine risk assessments, leaving its patients' data vulnerable to breach.
In addition to paying a $750,000 fine, the University of Washington Medicine must also implement corrective measures to prevent future data breaches of this magnitude from occurring.
HIPAA-related fines are becoming increasingly more commonplace, as the OCR prepares for a new round of audits. Whether you operate a large hospital or a small general care practice, you should familiarize yourself with the nuances of HIPAA and its respective rules. HIPAA consists of the Privacy Rule, Security Rule, and Breach Notification Rule, each of which has its own unique purpose and characteristics. By learning the details of these rules, you can better protect your healthcare practice from HIPAA-related fines while ensuring your patients' data is protected in the process.