By David Slaughter, JD, Senior Legal Editor
The month of July saw two hospitals reach multimillion-dollar Health Insurance Portability and Accountability Act (HIPAA) privacy and security settlements with the U.S. Department of Health and Human Services (HHS). Each case began with that most mundane of data breaches, the stolen laptop, but once HHS investigators started looking around, they found broader issues with the organization’s approach to data protection.
In both cases, HHS alleged, leadership failings led known security risks to go unaddressed. While these settlements involved health care providers, each highlights HIPAA compliance pitfalls, such as laptop security and cloud storage, that could just as easily befall a plan sponsor or its service providers.
In Jackson, Mississippi, a university hospital agreed to pay HHS $2.75 million to resolve multiple alleged violations of HIPAA’s security and breach notification rules. HHS’ investigation of the University of Mississippi Medical Center (UMMC) was triggered by the theft of a laptop, but the violations ultimately alleged by HHS’ Office for Civil Rights (OCR) ran the gamut of HIPAA’s required administrative, physical, and technical safeguards.
OCR determined that UMMC became aware of risks to its systems as early as 2005, but did not take major steps to curb these risks until after the 2013 breach, which involved the electronic protected health information (e-PHI) of about 10,000 patients. The agency attributed this to organizational deficiencies and insufficient institutional oversight.