University of Mississippi Medical Center HIPAA Settlement Announced

The failure to comply with HIPAA Rules can prove costly, as the University of Mississippi Medical Center HIPAA compliance settlement clearly shows. Following an investigation into a breach of 500 patient records, the Department of Health and Human Services’ Office for Civil Rights (OCR) discovered multiple violations of Health Insurance Portability and Accountability Act Rules.

The University of Mississippi Medical Center HIPAA settlement includes a stiff financial penalty and the adoption of a 3-year corrective action plan (CAP) to bring the UMMC’s policies and procedures up to the standards demanded by HIPAA.

$2.75 Million University of Mississippi Medical Center HIPAA Settlement Agreed

OCR launched an investigation into a data breach reported by UMMC in 2013. The data breach was relatively small, only exposing 500 patient records; however, it was enough to trigger a HIPAA investigation by OCR.

The breach was caused by the loss of a laptop computer containing the electronic protected health information (ePHI) of patients. The laptop computer was protected with a password, but the data stored on the device were not encrypted. The laptop was lost – presumed stolen – from UMMC’s Medical Intensive Care Unit. A visitor to the center is believed to have taken the device.

The breach investigation revealed that UMMC had violated a number of HIPAA Rules which had led to the exposure of a further 10,000 patient health records. UMMC had not used a unique username and password to protect one of its wireless networks. If the network had been accessed, some 67,000 UMMC files could potentially have been accessed and copied. 328 of those files contained the ePHI of UMMC patients.

Following the introduction of the HIPAA Enforcement Rule and the incorporation of the Health Information Technology for Economic and Clinical Health (HITECH) Act into HIPAA regulations, OCR can issue fines of up to $1.5 million for violations of HIPAA Rules. The maximum fine is usually only applied to wilful neglect of HIPAA Rules.

That penalty covers individual violation categories. It can be multiplied by the number of years that a violation is allowed to persist. The violation of multiple categories of HIPAA Rules could see financial penalties of many millions of dollars issued.

The University of Mississippi Medical Center HIPAA settlement covers the failure to secure the wireless network; the failure to implement policies and procedures to prevent, detect, contain, and correct security violations; the failure to use appropriate physical safeguards on workstations containing ePHI; the failure to restrict access to ePHI to authorized users; the failure to set unique usernames to enable tracking of ePHI access; and the failure to notify patients of the breach of their ePHI.

The corrective action plan (CAP) requires the appointment of a monitor to ensure that all elements of the CAP are followed. The CAP ensures that all HIPAA violations are corrected in a reasonable time frame. UMMC must also report to OCR on HIPAA compliance for a period of 3 years.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news