University of Washington Medicine Settles for $750 Million to Resolve Potential HIPAA Violations.

Date posted: December 31, 2015

The Office of Civil Rights (OCR) settled with the University of Washington School of Medicine (UWM) for potentially violating the Health Insurance Portability and Accountability Act (HIPAA).  Under HIPAA, UWM is considered an affiliated covered entity that includes other health care components and entities under the University of Washington.  HIPAA requires UWM to implement appropriate policies and procedures with respect to each entity in the affiliated group for overall HIPAA compliance.

According to OCR, UWM failed to implement policies and procedures to prevent, detect, contain, and correct security breaches, thereby violating the HIPAA Security Rule.  OCR received a report that an employee downloaded an email attachment containing malicious malware, allowing for unauthorized access to the electronic protected health information of approximately 90,000 individuals.  The malware compromised UWM’s information technology system and affected several forms of patient data including names, medical record numbers, social security numbers, charges and bill balances, and Medicare numbers.  UWM did not ensure that its affiliated entities properly conducted risk assessments and responded appropriately to potential risks and vulnerabilities in their respective environments.  As a result, OCR has required UWM to pay $750,000, sign a resolution agreement to implement a corrective action plan, and submit annual reports regarding UWM’s compliance efforts.  The corrective action plan requires UWM to develop a risk analysis, create a risk management plan, and reorganize its compliance program to include key Security Rule elements.

The OCR Press Release is available at:

http://www.hhs.gov/about/news/2015/12/14/750000-hipaa-settlement-underscores-need-for-organization-wide-risk-analysis.html.

Department of Health and Human Services Office of Civil Rights.  “$750,000 HIPAA Settlement Underscores the Need for Organization Wide Risk Analysis.”  Press Release.  14 Dec. 2015.

‹ Return to the Main News Page
‹ Return to the CRC Homepage