University with Multiple Covered Entity Components Enters Into $750,000 HIPAA Settlement
On December 14, 2015, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced a $750,000 settlement with the University of Washington (UW). This is the third HIPAA settlement announced by OCR within the last month. The UW settlement highlights the following two points: (1) it is essential that an institution understand which of its affiliates and/or components that provide health care services are “covered entities” under HIPAA, and (2) those institutions with multiple covered entity components must ensure that all of those components are vigorous with respect to HIPAA compliance.
According to the OCR Settlement Agreement, UW has multiple affiliated covered entity components, including an academic medical center and various outpatient clinics.
OCR’s investigation of UW was initiated by UW’s voluntary notice in November, 2013 to OCR of a breach of unsecured electronic protected health information (e-PHI) affecting approximately 90,000 individuals. The e-PHI of these individuals was accessed after a UW employee downloaded an e-mail attachment containing malicious malware, which compromised UW’s IT system.
OCR’s investigation revealed that while UW’s HIPAA security policies required all of its affiliated entities to have up-to-date, documented risk assessments, UW did not ensure that all of those affiliated entities were properly conducting risk assessments and appropriately responding to potential risks and vulnerabilities.
In addition to the $750,000 payment, UW and OCR entered into a two-year Corrective Action Plan (CAP) as part of the settlement. Under the terms of the CAP, UW is required to:
- Submit a comprehensive risk analysis to OCR and review the risk analysis at least annually;
- Provide OCR with a risk management plan to address identified risks;
- Complete a structural reorganization of its compliance program within 180 days; and
- During the term of the CAP, submit an annual report to OCR with respect to the status of and findings regarding UW’s compliance with the CAP.
A copy of the Resolution Agreement and CAP is available here.
In light of the rigorous HIPAA enforcement activity by OCR and the significant payments and corrective actions required, institutions should make sure they know at all times (i) which of their affiliates or components are providing health care services, (ii) whether those health care providers are covered entities subject to HIPAA; and (iii) that the entity or institution oversees HIPAA compliance with respect to each of these components. Further, covered entities and business associates should review their HIPAA privacy and security rule compliance programs, including their risk assessments and risk management plans. If those programs, risk assessments or risk management plans have not been completed recently, or not been completed at all, institutions should immediately complete these tasks.
The UW settlement is an example of OCR’s recent emphasis on HIPAA security rule enforcement. Saul Ewing will continue to monitor future HIPAA enforcement by OCR. The Firm has written extensively about OCR enforcement activities, including:
Saul Ewing attorneys advise clients regularly on HIPAA privacy rule, security rule and breach notification rule compliance, including preparing and reviewing policies and procedures; conducting HIPAA training activities; advising on HIPAA breaches and notification obligations; and assisting clients with preparing risk assessments. For more information on these matters, please contact the authors or the attorney at the firm with whom you are regularly in contact.