In its press release, the Department of Health and Human Services (“DHHS”) once again pointed out the importance of an organization-wide risk analysis. The press release resulted from a $750,000 settlement with the University of Washington Medicine (“UWM”) for failure to implement policies and procedures to prevent, detect, contain, and correct security violations.
The settlement resulted from a breach report submitted by UWM that notified DHHS that the electronic protected health information (“EPHI”) of some 90,000 individuals was improperly accessed after an employee had downloaded an email attachment containing malware. This improper access allowed the hacker to access patient names, medical record numbers, dates of service, addresses and phone numbers, dates of birth, charges or bill balances, Social Security numbers, and insurance identification or Medicare numbers.
The DHHS Office for Civil Rights (“OCR”) investigation revealed that UWM’s security policies required its affiliated entities to have up-to-date, documented system-level risk assessments and to implement safeguards in compliance with the Security Rule. UWM did not, however, ensure that all of its affiliated entities were properly conducting risk assessments and appropriately responding to the potential risks and vulnerabilities in their respective environments.
“All too often we see covered entities with a limited risk analysis that focuses on a specific system such as the electronic medical record or that fails to provide appropriate oversight and accountability for all parts of the enterprise,” said OCR Director Jocelyn Samuels. “An effective risk analysis is one that is comprehensive in scope and is conducted across the organization to sufficiently address the risks and vulnerabilities to patient data.”
Our Risk Analysis ToolKit is designed to ensure that users conduct the risk analysis across their entire organizations to avoid what happened to UWM. If you have bought our HIPAA Compliance Library, you have our editable Risk Analysis ToolKit on the HIPAA Documents Resource Center CD accompanying the Compliance Guide to HIPAA and the DHHS Regulations, preferably the 6th edition, which is the latest edition. If you want help with your risk analysis, you could also buy our online Risk Analysis ToolKit, which comes with a written report by Jon Tomes based on answers that you submit to us and a phone consultation, for $500.
We wish you Happy New Year, and we trust that one of your resolutions is to conduct and document your first risk analysis, if necessary, or update and document that updated risk analysis and to keep the documentation in Your Happy HIPAA Book.