The University of Washington Medicine has agreed to settle for $750,000 following a 2013 data breach that exposed the health information of 90,000 patients.
The steady stream of such settlements illustrates HHS' concern over providers' compliance with the security provisions of the Health Insurance Portability and Accountability Act, experts say. HHS' Office for Civil Rights said this newest settlement shows the need for organizationwide risk analyses. The settlement also calls upon UWM to provide documentation on a structural reorganization of its compliance program.
“All too often we see covered entities with a limited risk analysis that focuses on a specific system such as the electronic medical record or that fails to provide appropriate oversight and accountability for all parts of the enterprise,” said Jocelyn Samuels, director of HHS' Office for Civil Rights in a statement.
Wendy Giles, UWM chief operating officer for IT services, said the Seattle-based system is confident it will be able to meet the requirements of the settlement agreement. She emphasized that no EHRs were accessed, and the UWM has not had any reports of patient information being used or compromised.
She said UWM's affiliates are now under the umbrella of the system's information security program. “We view it as an opportunity to continually enhance and strengthen our security program,” Giles said.
The breach occurred after an employee downloaded an e-mail attachment that contained malicious malware. The malware compromised the organization's information technology system, exposing patients' names, medical record numbers, charges, and, in some cases, addresses, phone numbers, birth dates, Social Security numbers and insurance identification or Medicare numbers.
Under HIPAA, covered entities and their affiliated covered entities must have certain policies and processes to protect patient data. The Office for Civil Rights found in an investigation that UWM did not ensure all of its affiliates were properly conducting risk assessments and appropriately responding to potential risks.
A failure to hold affiliates accountable for implementing organizationwide policies and procedures has been a theme in a number of HHS OCR settlements, said David Holtzman, a former official with OCR and a current vice president of compliance at consulting firm CynergisTek.
“The resolution agreements and corrective action plans have been fairly consistent in highlighting that this is a gap,” Holtzman said.
OCR has often previously been concerned with total noncompliance, whereas in this case, it seems to be finding fault with the degree of noncompliance, said Anna Spencer, a partner at Sidley Austin. OCR seems to be saying its not enough to simply perform a risk assessment; it has to be of a certain scope and type, Spencer said. That may be an expansion of prior enforcement, she said.
Providers will now “need to look at the scope of their risk assessments and make sure they are broad enough and they're capturing all of the entities within a system,” Spencer said.
Spencer said not all covered entities are struggling with HIPAA compliance, but it's an ongoing challenge for many because systems and threats to those systems are constantly changing.
Lisa Clark, a partner at Duane Morris, said HHS has given ample warning about the importance of security compliance. She expects to see more such enforcement.
“They're just getting more focused on security compliance because that's really the issue with all these big breaches we're hearing about,” Clark said.
Holtzman also noted that this is the first time he can remember such a settlement calling for a structural reorganization of an entity's compliance program.
The University of Washington Medicine settlement with HHS is at least the sixth so far this year. Less than two weeks ago, Lahey Hospital and Medical Center in Burlington, Mass., agreed to pay $850,000 in a HIPAA settlement after an unencrypted laptop used with a computerized tomography scanner was stolen from an unlocked treatment room in Lahey's radiology department in 2011.