U. of Wash­ing­ton Medicine reaches HIPAA set­tle­ment

Modern Healthcare - - REGIONAL NEWS - —Lisa Schencker

Univer­sity of Wash­ing­ton Medicine has agreed to set­tle for $750,000 fol­low­ing a 2013 data breach that ex­posed the health in­for­ma­tion of 90,000 pa­tients.

The steady stream of such set­tle­ments il­lus­trates HHS’ con­cern over providers’ com­pli­ance with the se­cu­rity pro­vi­sions of the Health In­sur­ance Porta­bil­ity and Ac­count­abil­ity Act, ex­perts say. HHS’ Of­fice for Civil Rights said this new­est set­tle­ment demon­strates the need for or­ga­ni­za­tion-wide risk analy­ses. The set­tle­ment also calls on UWM to pro­vide doc­u­men­ta­tion show­ing a struc­tural re­or­ga­ni­za­tion of its com­pli­ance pro­gram.

The breach occurred af­ter a UWM em­ployee down­loaded an e-mail at­tach­ment that con­tained mal­ware. The mal­ware com­pro­mised the or­ga­ni­za­tion’s in­for­ma­tion tech­nol­ogy sys­tem, ex­pos­ing pa­tients’ names, med­i­cal record num­bers, charges, and in some cases, ad­dresses, phone num­bers, birth dates, So­cial Se­cu­rity num­bers and in­sur­ance iden­ti­fi­ca­tion or Medi­care num­bers.

Un­der HIPAA, cov­ered en­ti­ties and their af­fil­i­ated cov­ered en­ti­ties must have cer­tain poli­cies and pro­cesses to pro­tect pa­tient data. The OCR found in its in­ves­ti­ga­tion that UWM did not en­sure that all of its af­fil­i­ates were prop­erly con­duct­ing risk as­sess­ments and ap­pro­pri­ately re­spond­ing to po­ten­tial risks.

A fail­ure to hold af­fil­i­ates ac­count­able for im­ple­ment­ing or­ga­ni­za­tion­wide poli­cies and pro­ce­dures has been a theme in a num­ber of set­tle­ments be­tween HHS and the Of­fice of Civil Rights, said David Holtz­man, a for­mer OCR of­fi­cial and a cur­rent vice pres­i­dent of com­pli­ance at con­sult­ing firm Cyn­er­gisTek.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.