ARTICLE
18 August 2016

$2.75 Million OCR Settlement Underscores The Importance Of Risk Management And Analysis

B
BakerHostetler

Contributor

BakerHostetler logo
Recognized as one of the top firms for client service, BakerHostetler is a leading national law firm that helps clients around the world address their most complex and critical business and regulatory issues. With five core national practice groups — Business, Labor and Employment, Intellectual Property, Litigation, and Tax — the firm has more than 970 lawyers located in 14 offices coast to coast. BakerHostetler is widely regarded as having one of the country’s top 10 tax practices, a nationally recognized litigation practice, an award-winning data privacy practice and an industry-leading business practice. The firm is also recognized internationally for its groundbreaking work recovering more than $13 billion in the Madoff Recovery Initiative, representing the SIPA Trustee for the liquidation of Bernard L. Madoff Investment Securities LLC. Visit bakerlaw.com
How the theft of a single password-protected laptop turned into an enterprise-wide review of an organization's data protection practices.
United States Food, Drugs, Healthcare, Life Sciences

How the theft of a single password-protected laptop turned into an enterprise-wide review of an organization's data protection practices.

Following the announcement of a recent settlement between the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) and Catholic Health Care Services, OCR has announced another significant settlement agreement and corrective action plan (CAP), this time with the University of Mississippi Medical Center (UMMC). The agreement imposes a $2,750,000 penalty and three-year CAP on the Jackson-based medical center, one of the few public academic medical centers in the state.

OCR began investigating UMMC following a March 2013 incident involving the disappearance of a laptop containing the ePHI of approximately 10,000 patients from UMMC's Medical Intensive Care Unit. The resulting OCR inquiry into the medical center's compliance with HIPAA regulations uncovered a number of violations, including the failure to:

  • Implement policies and procedures to adequately anticipate and protect against security vulnerabilities;
  • Secure ePHI-accessible workstations with physical safeguards that would limit access to authorized users;
  • Institute unique user IDs that could track individual employee access to ePHI; and
  • Directly notify individuals whose unsecured ePHI may have been accessed, despite providing substitute notice on its website and in local media.

In addition to the substantial monetary penalty assessed against UMMC, the medical center consented to a three-year CAP mandating a host of internal modifications to UMMC's data security practices. These requirements include installing a monitor to observe and report on the medical center's compliance with the CAP, performing a risk analysis and developing a new risk management plan to address the security vulnerabilities identified by OCR, rolling out a unique user identification system to adequately track individuals with ePHI privileges, conducting security awareness training for employees with access to ePHI, and providing annual compliance reports to OCR.

The UMMC settlement highlights how tugging at the thread can unravel the sweater. Here OCR's investigation, triggered following the theft of a single password-protected laptop, turned into an enterprise-wide review of UMMC's data protection practices. The resulting settlement reinforces the need for covered entities to address potential security vulnerabilities, and to ensure that a simple problem does not balloon into substantial liability for the organization.

It is crucial that organizations routinely conduct risk analyses and implement any necessary remediation measures through corresponding risk management plans.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More