The University of Washington has agreed to pay $750,000 for alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) of 1996.
The Office for Civil Rights (OCR) began its investigation back in 2013 after the University had reported a data breach. According to the report, a UW employee had unknowingly downloaded malicious software to their computer, which subsequently spread throughout a connected network that contained the Protected Health Information (PHI) of some 90,000 individuals. As noted on the official HHS website, when a data breach affects 500 more individuals, the covered entity must notify the Secretary in a reasonable amount of time, no later than 60 days after the breach.
While UW officials notified with Secretary within 60 days, OCR investigators found other violations. They determined that UW did not conduct risk analyses throughout its medical offices and entities, as required by the HIPAA Security Rule, nor did it implement the appropriate risk management plans.
Years after the data breach, UW and the OCR has finally come to an agreement. In the Resolution Agreement, UW did not admit to any willful wrongdoing for the incident, but it has agreed to pay $750,000 and enter into a 2-year monitoring program during which the OCR will closely monitor its actions to ensure it remains compliant with HIPAA.
“On November 27, 2013, HHS received notification from UW Medicine regarding a breach of its unsecured electronic protected health information (e-PHI). On December 26, 2013, HHS notified UW Medicine of this investigation regarding UW Medicine’s compliance with the Privacy, Security, and Breach Notification Rules,” wrote the OCR in its Resolution Agreement with UW.
News of the settlement between UW and the OCR should serve as a reminder to all doctors and covered entities out there to conduct routine risk analyses. Many covered entities overlook this process, assuming it has little-of-no use. Even if it doesn't yield any helpful data, however, risk analysis is a fundamental step towards HIPAA compliance.
If you need help conducting a risks analysis in your healthcare practice, check out https://www.healthit.gov/providers-professionals/security-risk-assessment. The OCR has published a free-to-use risk analysis tool on its website, allowing covered entities to simplify this process. Upon visiting the aforementioned link, click the “DOWNLOAD TOOL” button on the bottom-left to download the risk analysis tool.