The University of Washington Medicine (“UWM”) has agreed to settle charges that it violated the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule for US$ 750,000, following a breach report first submitted by UWM on November 27, 2013. In addition to settlement, UWM has entered into a Resolution Agreement with the United States Department of Health and Human Services (“HHS”), Office for Civil Rights (“OCR”) and has entered into and agreed to comply with a Corrective Action Plan (“CAP”).
HHS provided notification to UWM of its intent to investigate the alleged breach on December 26, 2013, and during the course of its investigation discovered that UWM failed to implement proper policies and procedures to prevent, detect, and correct security violations, specifically for electronic protected health information (“e-PHI”). As an “Affiliated Covered Entity” under HIPAA, UWM is required to have in place appropriate policies to conduct risk assessments and implement safeguards to ensure that each of its affiliated entities comply with the HIPAA Security Rule. In this case, the e-PHI of approximately 90,000 individuals was compromised after an employee of UWM downloaded an attachment containing malicious malware.
As part of the CAP, UWM has agreed to comply with certain obligations in the realm of security management, risk management, compliance program reorganization, and annual reporting. Within 90 days of entering into the Resolution Agreement and CAP, UWM must submit to HHS a detailed Risk Analysis (to include an assessment of the security risks and vulnerabilities associated with e-PHI) and Risk Management Plan, for HHS approval. Within 180 days, UWM must provide documentation of the structural reorganization taking place of its compliance program. Finally, UWM must submit Annual Reports to HHS detailing a summary of the security measures and reportable events taken during the reporting period. An officer of UWM must sign and attest that he or she has reviewed the Annual Report prior to submission.
The CAP is effective for a two year period beginning with the date the parties formally enter into the Resolution Agreement and CAP, assuming UWM does not breach the CAP. In the event UWM breaches any term of the CAP, HHS may impose a civil money penalty (CMP).
HHS issued a press release on December 14, 2015 covering news of the settlement.
*Blake Walsh is admitted only in Tennessee. Her practice is supervised by principals of the firm admitted in the District of Columbia.