Seattle-based University of Washington Medicine has agreed to settle potential HIPAA violation charges. The settlement includes a $750,000 payment, a corrective action plan and yearly reports on UW Medicine's HIPAA compliance efforts.
In 2013, HHS' Office for Civil Rights launched an investigation into UW Medicine after the health system reported a data breach affecting approximately 90,000 individuals. A UW Medicine employee had downloaded an email attachment containing malicious malware, which compromised the organization's IT system.
The OCR's investigation determined that while UW Medicine's security policies required affiliated entities to have up-to-date, documented risk assessments and implemented safeguards, the health system did not ensure these entities were conducting the risk assessments or responding to potential risks and vulnerabilities.
"All too often we see covered entities with a limited risk analysis that focuses on a specific system such as the electronic medical record or that fails to provide appropriate oversight and accountability for all parts of the enterprise," said OCR Director Jocelyn Samuels. "An effective risk analysis is one that is comprehensive in scope and is conducted across the organization to sufficiently address the risks and vulnerabilities to patient data."
More articles on data breaches:
5 biggest healthcare data breaches of 2015
Legal perspective: 6 key points on data breaches
UCHealth fires employee who inappropriately accessed more than 800 patient records