$2.75 Million OCR Settlement Underscores The Importance Of Risk Management And Analysis

Author:Ms Lynn Sessions and Suchismita Pahi

How the theft of a single password-protected laptop turned into an enterprise-wide review of an organization's data protection practices.

Following the announcement of a recent settlement between the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) and Catholic Health Care Services, OCR has announced another significant settlement agreement and corrective action plan (CAP), this time with the University of Mississippi Medical Center (UMMC). The agreement imposes a $2,750,000 penalty and three-year CAP on the Jackson-based medical center, one of the few public academic medical centers in the state.

OCR began investigating UMMC following a March 2013 incident involving the disappearance of a laptop containing the ePHI of approximately 10,000 patients from UMMC's Medical Intensive Care Unit. The resulting OCR inquiry into the medical center's compliance with HIPAA regulations uncovered a number of violations, including the failure to:

Implement policies and procedures to adequately anticipate and protect against security vulnerabilities; Secure ePHI-accessible workstations with physical safeguards that would limit access to authorized users; Institute unique user IDs that could track individual employee access to ePHI; and Directly notify individuals whose unsecured ePHI may have been accessed, despite providing substitute notice on its website and in local media. In addition to the substantial monetary penalty assessed against UMMC, the medical center consented to a three-year CAP mandating a host of internal modifications to UMMC's data...

To continue reading