- The University of Mississippi Medical Center (UMMC) agreed to pay HHS’ Office for Civil Rights $2.75 million to resolve security concerns identified when a laptop went missing in 2013.
- At the time, UMMC investigated the incident and concluded the laptop was likely stolen, although there was no evidence that protected health information was accessed or disclosed. However, patients whose health information was on the laptop were not notified, as required under the HIPAA.
- The penalty will be paid out of UMMC’s healthcare operations revenues.
OCR’s investigation of the missing laptop found multiple HIPAA violations, including failure to implement policies and procedures to prevent, detect and manage security breaches and failure to restrict access to electronic physical health records to authorized users only. For example, multiple UMMC employees had access to the laptop, which linked to the medical center’s network containing patient records, via a common password.
“In addition to identifying risks and vulnerabilities to their ePHI, entities must also implement reasonable and appropriate safeguards to address them within a reasonable time frame,” OCR Director Jocelyn Samuels said in a release.
As part of the resolution agreement, UMMC must implement a corrective action plan over the next three years that ensures that every staffer with access to ePHI is individually identifiable. The center has also agreed to update its information security policy to require notification of all individuals potentially affected by a breach.
Since the 2013 breach, UMMC has installed encryption software on all laptop computers, beefed up the role of its chief information security officer and enlisted an outside firm to assess and update its IT security program.
The settlement is similar to another recent settlement regarding HIPAA violations with Oregon Health & Science University (OHSU). The organization agreed to settle a federal investigation, which involved two reports involving unencrypted laptops and a large breach involving a missing unencrypted thumbdrive, for $2.7 million.
OCR found after investigating records back to 2003 that OHSU did not act in a timely manner to implement changes within the organization to address documented risks. The university was also found to have lacked policies and procedures to prevent and detect HIPAA violations.
It would behoove providers to have proper HIPAA policies and procedures in place or it could cost them around $2.7 million.