Last week, the University of Washington Medicine (UWM), an affiliated covered entity that includes multiple entities such as the University of Washington Medical Center, agreed to settle alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) by paying $750,000 and implementing a substantial corrective action plan.

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) initiated its investigation into UWM following receipt of a HIPAA breach notification from UWM in November 2013. At that time, UWM discovered that an employee had downloaded an email attachment containing malicious malware, which led to the improper access of the electronic Protected Health Information (ePHI) of approximately 90,000 individuals. Certain patients had information including Social Security numbers compromised. OCR’s investigation revealed that UWM had failed to ensure that all of its affiliated entities were conducting risk assessments as required by HIPAA and appropriately implementing corrective action in response to identified vulnerabilities.

In order to settle the alleged HIPAA violations, UWM agreed to pay $750,000 and also agreed to enter into a corrective action plan that will remain in effect for 2 years. Pursuant to the corrective action plan, UWM must develop a thorough risk analysis of vulnerabilities facing all affiliated UWM facilities and submit such analysis to OCR for its review and approval. UWM is further obligated to develop a risk management plan, also to be reviewed and approved by OCR, and to reorganize its compliance program to ensure it meets the requirements specified by the HIPAA Security Rule.

OCR Director Jocelyn Samuels used this settlement to highlight the importance of risk assessments in HIPAA compliance. She stated that “all too often we see covered entities with a limited risk analysis that focuses on a specific system such as the electronic medical record or that fails to provide appropriate oversight and accountability for all parts of the enterprise. An effective risk analysis is one that is comprehensive in scope and is conducted across the organization to sufficiently address the risks and vulnerabilities to patient data.” It is important for both covered entities and business associates to note that risk analyses must be documented, comprehensive, and conducted on a regular basis.

This settlement has been added to Cooley’s “Select HIPAA Privacy and Security Enforcement Actions Tracker” that may be accessed on the right side of this page or under the “Resources” tab above.