The Office for Civil Rights (OCR) has obtained another big settlement from a covered entity resulting from a data breach. This most recent settlement of fines and penalties and a Resolution Agreement is with the University of Mississippi Medical Center (UMMC) for $2.75 million.
The OCR commenced an investigation against UMMC after UMMC self-reported a data breach on March 21, 2013. The breach was caused when an unencrypted, but password protected laptop went missing from the Intensive Care Unit. The laptop contained the unsecured protected health information (PHI) of approximately 10,000 patients, which triggered the investigation.
As it frequently does, the OCR asked UMMC for all of its HIPAA policies and procedures and, according the OCR, UMMC “failed to implement policies and procedures to prevent, detect, contain, and correct security violations, including conducting an accurate and thorough assessment of the potential risks and vulnerabilities” to PHI from the HIPAA Security Rule implementation compliance date of April 20, 2005 to the present date.
According to the OCR, UMMC also failed to implement physical safeguards for work stations, failed to assign a unique user name and/or number for identifying and tracking user identity in the IT systems, and allowed a shared department network drive to be accessed through a generic account so an accounting of which user was accessing information was impossible.
Finally, and significantly, the OCR found that UMMC failed to provide individual notification of the data breach, as it failed to notify the individuals whose unsecured PHI was contained on the laptop and only provided notification on its website and through local media outlets.
The lessons from this enforcement action provide guidance to covered entities that they may wish to consider: 1) update policies and procedures to comply with the Security Rule; 2) confirm that physical safeguards are in place for workstations: 3) confirm and update security risk assessment and management policies and procedures; 4) implement access control measures, including specific user names and passwords for access to PHI; and 5) implement a breach notification policy that includes processes to notify individuals in the event of a data breach, and follows the HIPAA breach notification requirements.