On December 14, 2015, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced that it had settled potential HIPAA Security Rule violations with the University of Washington on behalf of the university’s medical center, medical school and affiliated labs and clinics (collectively, “UW Medical”).

OCR investigated UW Medical after receiving a breach report in November 2013 involving an incident in which almost 100,000 individuals had their protected health information (“PHI”) accessed after an employee downloaded malware. While UW Medical had policies and procedures that required its relevant covered entities to conduct HIPAA Security Rule risk analyses, those entities failed to do so which led to the lax anti-malware controls that precipitated the incident.

In the resolution agreement, UW Medical agreed to pay a $750,000 settlement to OCR and enter into a Corrective Action Plan that requires UW Medical to:

  • Develop current, comprehensive and thorough risk analyses for relevant UW Medical entities;
  • provide OCR with a risk management plan to address the risks identified in the analyses;
  • reorganize its entire HIPAA compliance program;
  • report any events of noncompliance with its HIPAA policies and procedures; and
  • submit annual compliance reports to OCR for a period of two years.

In the press release accompanying the resolution agreement, OCR Director Jocelyn Samuels stated that covered entities often conduct limited risk analyses and noted that “[a]n effective risk analysis is one that is comprehensive in scope and is conducted across the organization to sufficiently address the risks and vulnerabilities to patient data.”

This settlement is the latest OCR enforcement action this year that has collectively resulted in over $6 million in fines.