The HHS Office for Civil Rights is continuing its frustrating attempt of sanctioning covered entities and business associates who’ve run afoul of HIPAA security principles, this time taking target at University of Mississippi Medical Center.
UMMC will pay a $2.75 million penalty and stepped into the resolution compliance and corrective action policy after an OCR inquiry determined the hospital was aware of susceptibilities to protected health data since at least the month of April 2005—the compliance information of the HIPAA Security Principle. The agency asserts that the agency took no meaningful action to reduce threat until after the theft of a laptop in the year of 2013. While the computer was password secured, it wasn’t encrypted.
OCR also referred the fact that, while the hospital gave notice of the violation on its web site and to regional media, it didn’t notify sufferers whose data was on the stolen laptop.
“OCR’s inquiry disclosed that ePHI stored on a UMMC network drive was susceptible to unauthorized approach through UMMC’s wireless network because consumers could access an active directory consisting of 67,000 files after giving a generic username and password,” in accordance to an OCR statement. “The directory involved 328 files consisting of the ePHI of an assumed 10,000 sufferers dating back to the year of 2008.”
In the resolution compliance, OCR claimed the hospital failed to execute suitable policies and procedures to comply with HIPAA and protect information. UMMC got agreed to the resolution agreement, but pointed out that the acceptance isn’t an admission of liability.
OCR charged that UMMC had not executed security steps enough decrease the threats and susceptibilities to reasonable and suitable levels; failed to execute safeguards for all workstations approaching ePHI; failed to allocate a distinctive username or number for recognizing and detecting users; permitted workers to access ePHI on a shared department network drive through a generic account that stopped tracking; and failed “to notify each person whose unprotected ePHI was reasonably considered to have been accessed, acquired, utilized or revealed as an outcome of the violation” after the discovery of the violation.
In a 3-year corrective action policy, UMMC commits to designate a qualified worker to be the internal monitor of agreement with the plan, with at least 46 particular milestones of agreement hoped to be completed.
In a statement, UMMC notes it has began substantial improvements in data security in recent years. Improvements involve encryption of entire laptops; remaking of the role and reporting relationships of the chief information security officer; and executing an external assessment and overhaul of its information technology security program.
“Our sufferers should never have to doubt that their security or privacy is a divine trust that we’re devoted to securing as part of our primary ethical values,” claims LouAnn Woodward, MD, vice chancellor for health affairs, in the statement. “We’ve learned from this experience and are working hard to make sure that our data security program meets or exceeds the largest standard.”
No comments:
Post a Comment