University of Mississippi Medical Center to pay $2.75 million HIPAA breach settlement

The Office for Civil Rights said that UMMC was aware of security risks as far back as April 2005 but did not take appropriate action.
By Bernie Monegain
10:59 AM
Mississippi HIPAA breach

The University of Mississippi Medical Center has agreed to pay a $2,750,000 fine levied by the Department of Health and Human Services Office for Civil Rights to settle several violations of the Health Insurance Portability and Accountability Act.

The breach goes back to March 21, 2013, when UMMC’s privacy officer discovered a password-protected laptop was missing from UMMC’s Medical Intensive Care Unit and notified OCR.

The breach of unsecured electronic protected health information affecting approximately 10,000 people triggered the OCR investigation, which said that UMMC was aware of risks and vulnerabilities to its systems as far back as April 2005, yet took no action to avoid it.

[Also: OHSU pays $2.7 million fine to HHS Office for Civil Rights for two HIPAA breaches]

Besides paying a penalty, UMMC also agreed to adopt a corrective action plan to ensure compliance going forward.

“In addition to identifying risks and vulnerabilities to their ePHI, entities must also implement reasonable and appropriate safeguards to address them within an appropriate timeframe,” OCR Director Jocelyn Samuels said in a statement. “We at OCR remain particularly concerned with unaddressed risks that may lead to impermissible access to ePHI.”

OCR’s investigation revealed that UMMC failed on several scores. The university did not implement its policies and procedures to prevent, detect, contain, and correct security violations, nor did it implement physical safeguards for all workstations that access ePHI.

Also, UMMC should have assigned a unique user name and/or number for identifying and tracking user identity in information systems containing ePHI, OCR said.

Moreover, OCR said UMMC should have notified each individual whose unsecured ePHI was reasonably believed to have been accessed, acquired, used or disclosed as a result of the breach.

Twitter: @Bernie_HITN
Email the writer:

Like Healthcare IT News on Facebook and LinkedIn