Another $750,000 HIPAA Settlement - Focus on Need for Risk Analysis
The HIPAA Final Rule has been in effect since 2013, but HIPAA settlements following breaches continue to be reported. If you think the need for a risk analysis under HIPAA is not important, think again! On December 14, 2015, the Department of Health and Human Services (HHS) announced another $750,000 HIPAA settlement with the University of Washington Medicine (UWM). This settlement not only involves a payment of $750,000 but also requires a corrective action plan and annual reports to the Office for Civil Rights (OCR) on UWM’s compliance efforts. The settlement follows an OCR investigation after UWM reported a breach of electronic protected health information (ePHI) involving approximately 90,000 individuals after an employee downloaded an email attachment containing malicious malware. As a result, UWM’s IT system involving 76,000 patients names, medical record numbers, dates of service, and/or charges or bill balances as well as approximately 15,000 patients’ names, medical record numbers, and other demographics were compromised.