December 23, 2015

The University Of Washington Medicine Agrees To Settlement For Potential HIPAA Violations

King & Spalding

+ Follow Contact

Send

Embed

The University of Washington Medicine (“UWM”) has agreed to settle the investigation conducted by the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) of potential HIPAA violations arising from a 2013 malware attack on the organization that put around 90,000 individuals’ electronic protected health information (“e-PHI”) at risk. The settlement includes UWM’s institution of a corrective action plan, annual reporting on UWM’s compliance efforts, and a $750,000 monetary payment.

The agreement was announced by HHS on December 14, 2015.

UWM is the primary teaching hospital of the University of Washington School of Medicine. As an “affiliated covered entity,” as defined by HIPAA, it is required to have in place policies and procedures to ensure HIPAA compliance, including “to prevent, detect, contain and correct security violations.”

The malicious malware that put the UWM patients’ information at risk was downloaded onto a UWM administrative computer by an employee who clicked on an email attachment. The information of two groups of patients was compromised―one involving a combination of patient names, medical record numbers, dates of service, and billing information; the other involving names, medical record numbers, and other demographic information such as dates of birth, phone numbers, addresses, social security numbers, and insurance and billing information.

UWM notified OCR of the breach in November 2013, and an investigation was opened the following month. The OCR investigation concluded that UWM “failed to implement policies and procedures to prevent, detect, contain, and correct security violations.” Specifically, OCR found that UWM “failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of e-PHI.”

A copy of the Resolution Agreement and Corrective Action Plan is available by clicking here.

HHS offers guidance on how organizations can conduct a risk assessment in compliance with the HIPAA Security Rule, which can be found by clicking here.

Reporter, Katie Bates, Atlanta, +1 404 572 4752, kbates@kslaw.com

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

Written by:

King & Spalding

Contact + Follow

less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

Increased visibility
Actionable analytics
Ongoing guidance

Learn More

Published In:

Corrective Actions

+ Follow

HIPAA Breach

+ Follow

Malware

+ Follow

OCR

+ Follow

PHI

+ Follow

Settlement

+ Follow

Teaching Hospitals

+ Follow

Consumer Protection

+ Follow

Health

+ Follow

Privacy

+ Follow

Science, Computers & Technology

+ Follow

less

King & Spalding on:

The University Of Washington Medicine Agrees To Settlement For Potential HIPAA Violations

Related Posts

Written by:

PUBLISH YOUR CONTENT ON JD SUPRA NOW

Published In:

King & Spalding on:

"My best business intelligence, in one easy email…"