The Office for Civil Rights (OCR) closed out 2015 by settling with University of Washington (UW) for $750,000 to address UW’s potential violations of the Health Insurance Portability and Accountability Act (HIPAA). OCR initially investigated UW after it reported a breach to the agency in November 2013. The breach occurred after a UW employee downloaded malware, which affected an IT system housing the protected health information of approximately 90,000 individuals. OCR’s ensuing investigation yielded evidence that UW had failed to ensure that all of its affiliated medical entities conducted risk analyses and implemented corresponding risk management plans, as required under HIPAA’s Security Rule.

While UW did not admit liability as part of the settlement, the Resolution Agreement between OCR and UW indicates that the settlement did not encompass potential HIPAA violations due to the breach itself, but rather centered on the potential Security Rule violations that were discovered during the investigation. UW also agreed to enter into a two-year monitoring period with OCR and to develop and implement an enterprise-wide risk analysis and risk management plan.

TIP: This settlement serves as a reminder that regulators may initiate an investigation based on one particular incident, but may expand their investigation – and pursue formal enforcement actions – based on other potential violations discovered during the investigation.