HHS announces HIPAA security rule-related settlement
The Department of Health and Human Services’ Office for Civil Rights yesterday announced a $750,000 settlement with University of Washington Medicine over potential violations of the Health Insurance Portability and Accountability Act’s security rule. An OCR investigation found that UWM’s security policies required its affiliated entities to have up-to-date, documented system-level risk assessments and to implement safeguards in compliance with security rule requirements, but that UWM did not ensure all of its affiliated entities were properly conducting risk assessments and appropriately responding to the potential risks and vulnerabilities in their respective environments. OCR opened its investigation after a breach report indicated that a November 2013 malware attack on a billing office computer provided potential access to electronic protected health information for about 90,000 patients. “The security of our patient information is of utmost importance to us,” said James Fine, M.D., UW Medicine’s chief information officer. “We voluntarily agreed with OCR to continue making our information security program even more robust than the one we have today. We are relieved that there have been no reports of any use or compromise of patient information from this event.”