The University of Mississippi Medical Center (UMMC) has agreed to settle multiple alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR). OCR’s investigation of UMMC was triggered by a breach of unsecured electronic protected health information (“ePHI”) affecting approximately 10,000 individuals. During the investigation, OCR determined that UMMC was aware of risks and vulnerabilities to its systems as far back as April 2005, yet no significant risk management activity occurred until after the breach, due largely to organizational deficiencies and insufficient institutional oversight. UMMC will pay a penalty of $2,750,000 and adopt a corrective action plan to help assure future compliance with HIPAA Privacy, Security, and Breach Notification Rules.
OCR’s investigation revealed that UMMC failed to:
- implement its policies and procedures to prevent, detect, contain, and correct security violations;
- implement physical safeguards for all workstations that access ePHI to restrict access to authorized users;
- assign a unique user name and/or number for identifying and tracking user identity in information systems containing ePHI; and
- notify each individual whose unsecured ePHI was reasonably believed to have been accessed, acquired, used, or disclosed as a result of the breach.
You can read the resolution agreement and corrective action plan here.