On July 7, 2016, the University of Mississippi Medical Center (UMMC) agreed to a $2.75 million settlement with the Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services for multiple alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). Pursuant to an investigation into a UMMC data breach of electronic protected health information (ePHI) affecting approximately 10,000 individuals, OCR determined that despite knowledge of its system’s risks and vulnerabilities dating back to 2005, UMMC failed to implement the necessary safeguards, “due largely to organizational deficiencies and insufficient institutional oversight.”

The investigation began in March 2013 when UMMC’s privacy officer contacted OCR after discovering that a password-protected laptop had gone missing from UMMC’s Medical Intensive Care Unit (MICU). An internal investigation by UMMC concluded that the laptop had likely been stolen by a MICU visitor, but OCR’s investigation determined the breadth of the potential HIPAA violation – using the laptop, an unauthorized user could easily (using a generic username and password) access a directory containing 67,000 files, including 328 files containing the ePHI of the estimated 10,000 affected patients. According to OCR, these files dated back to 2008.

Regarding UMMC’s security deficiencies, OCR also found that UMMC had failed to:

  1. Implement its policies and procedures to prevent, detect, contain, and correct security violations;
  1. Implement physical safeguards for all workstations that access ePHI to restrict access to authorized users;
  1. Assign a unique username and/or number for identifying and tracking user identity in information systems containing ePHI; and
  1. Pursuant to HIPAA’s Breach Notification Rule, notify each individual whose unsecured ePHI was reasonably believed to have been accessed, acquired, used, or disclosed as a result of the breach.

In addition to the $2.75 million in penalties, UMMC agreed to enter into a three-year corrective action plan (CAP) with OCR. Requirements under the CAP include: the appointment of a qualified UMMC employee as an Internal Monitor (to ensure compliance with the CAP); the Internal Monitor’s submission of a Monitor Plan; revisions to security and breach notification policies; and mandatory OCR-approved security awareness and training.

The UMMC settlement and mandatory CAP serve as yet another reminder to all covered entities and business associates of the risks and potential consequences (not only to the organization’s patient base, but to the organization itself) of failing to implement both proactive and reactive HIPAA-compliant policies and procedures relating to PHI storage and security. By taking measures such as implementing data encryption and monitoring, establishing incident response processes, and providing effective education and training for the entire workforce, healthcare providers can avoid these pitfalls.

Contact Our Lawyers For Help

The attorneys at Chilivis Grubman assist healthcare entities of all types and sizes on HIPAA-related issues, including audits, assessments, and OCR investigations.  For any questions, or if we can assist you in connection with such a matter, please contact us at (404) 262-6505 or sgrubman@cglawfirm.com.