On Monday, the HHS Office of Civil Rights (OCR) released its third resolution and settlement agreement in as many weeks. The $750,000 settlement with the University of Washington Medicine (“UWM”) is yet another citing the alleged failure to conduct an enterprise-wide risk analysis as required by the HIPAA Security Rule. As part of the settlement, UMW must implement a corrective action plan and submit annual reports about its HIPAA compliance efforts for two years.
Like the two settlements we profiled earlier this month, OCR commenced an investigation after UWM reported a breach as required by the HIPAA Breach Notification Rule. The breach was caused by malware that a UWM employee inadvertently downloaded when opening an email attachment. The malware potentially exposed the electronic protected health information of 90,000 individuals.
Because UWM is an affiliated covered entity (i.e., a group of covered entities that choose to operate as an integrated entity), UWM is required to ensure that its risk analysis covers each affiliated covered entity. OCR alleged, however, that UWM’s risk analysis did not cover all the affiliated entities and their systems containing ePHI. As OCR Director Jocelyn Samuels stated, “[a]ll too often we see covered entities with a limited risk analysis that focuses on a specific system such as the electronic medical record or that fails to provide appropriate oversight and accountability for all parts of the enterprise.” Thus, as OCR and other agencies clear out their HIPAA audit and enforcement activity backlogs, health care entities should commit to performing and strengthening their security risk analyses in 2016.