OCR Announces Three Settlements to Resolve Potential HIPAA Violations.
Date posted: August 1, 2016
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently announced three settlements involving potential violations of the Health Insurance Portability and Accountability Act (HIPAA). Each settlement underscores the consequences of conducting ineffective HIPAA risk analyses and failing to encrypt electronic devices containing sensitive electronic protected health information (ePHI). The settlements require all three entities to pay monetary penalties and implement corrective action plans to ensure future HIPAA compliance.
The University of Mississippi Medical Center (UMMC) is Mississippi’s sole public academic health science center. UMMC settled multiple potential HIPAA violations with OCR stemming from a breach involving the ePHI of roughly 10,000 patients. OCR found that UMMC used a generic password to protect the ePHI stored on its network drive, and a visitor stole a password protected laptop from UMMC’s University Hospital. UMMC was aware of the vulnerabilities to its system, but lacked an effective risk management process to address them. Further, UMMC failed to notify each individual whose ePHI was potentially used or disclosed as a result of the breach. UMMC will pay OCR $2.75 million for the alleged HIPAA violations.
Oregon Health & Science University (OHSU) is an academic health center and research university with two hospitals and multiple clinics throughout Oregon. OCR launched an investigation after receiving several breach reports from OHSU regarding the theft of two laptops and a thumb drive. OCR determined that 1,361 of the 3,000 individuals whose ePHI was compromised faced significant risk of harm due to the sensitive nature of their diagnoses. OCR further found that while OHSU had performed six risk analyses from 2003 to 2013, the analyses did not fully comply with the Security Rule. The settlement between OCR and OHSU includes a $2.7 million payment.
Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) provides information technology and management services to six skilled nursing facilities as a business associate. CHCS paid OCR $650,000 when a stolen CHCS employee-issued mobile phone compromised the ePHI of roughly 412 nursing home residents. The phone was unencrypted and contained social security numbers, diagnosis and treatment details, and family member and legal guardian names. Further, CHCS failed to develop and implement policies on removing PHI from its facilities, and lacked a risk analysis and risk management plan. OCR will monitor CHCS for two years to ensure compliance with the HIPAA Security Rule and related business associate obligations.
OCR HIPAA News Releases & Bulletins are available at:
Department of Health and Human Services Office for Civil Rights. “Multiple Alleged HIPAA Violations Result in $2.75 Million Settlement with the University of Mississippi Medical Center (UMMC).” Press Release. 21 Jul. 2016.
Department of Health and Human Services Office for Civil Rights. “Widespread HIPAA Vulnerabilities Result in $2.7 Million Settlement with Oregon Health & Science University.” Press Release. 18 Jul. 2016.
Department of Health and Human Services Office for Civil Rights. “Business Associate’s Failure to Safeguard Nursing Home Residents’ PHI Leads to $650,000 HIPAA Settlement.” Press Release. 29 Jun. 2016.