The University of Mississippi Medical Center is being penalized $2.75 million for a health data breach by the U.S. Department of Health and Human Services.
The hospital also must implement a three-year corrective plan to correct shortcomings found in an investigation.
The Hill reports the fine came for a series of violations of Health Insurance Portability and Accountability Act privacy and security requirements. The hospital agreed to settle with HHS’s Office of Civil Rights, without admitting liability, in the case of a password-protected laptop that was stolen, probably by a visitor to the hospital’s intensive care unit who had asked to borrow the laptop.
Although the laptop itself was protected by a generic username and password, it allowed easy access to the hospital network and to the private health data for 10,000 patients. The laptop was assigned to the intensive care unit, and although individual logins were required to access the network, no such barrier stood between a user and the patient record database.
Although the hospital did concede some shortcomings — the agency cited after its investigation such failures as a lack of physical safeguards for workstations that contained protected data, failure to track users accessing electronic health information and failure to notify all the individuals who were affected by the breaches — it said that there was no indication that any protected data were accessed.
Just days earlier, the Office of Civil Rights settled with Oregon Health & Science University in another HIPAA case; this time the penalty was $2.7 million after four breaches in 2012 and 2013 resulted in the data of more than 3,000 individuals being compromised. Two unencrypted laptops and one unencrypted thumb drive were lost or stolen. In addition, the agency said the hospital never implemented a required security agreement with a cloud service provider storing the health data.
The Office of Civil Rights is boosting enforcement even as HHS hopes to boost protections for health data that fall beyond the HIPAA framework. Wearable technologies and mobile apps are not covered by HIPAA requirements, but collect and transmit health data from users without being required to protect it in the same way healthcare providers are bound.
Karen DeSalvo, the director of th Office of Civil Rights, has urged Congress in a blog post to expand protection for those kinds of health data; in a report to Congress, the Office of the National Coordinator for Health IT has advised how wearables are not covered by existing privacy laws.
Continue Reading for Free
Register and gain access to:
- Breaking benefits news and analysis, on-site and via our newsletters and custom alerts
- Educational webcasts, white papers, and ebooks from industry thought leaders
- Critical converage of the property casualty insurance and financial advisory markets on our other ALM sites, PropertyCasualty360 and ThinkAdvisor
Already have an account? Sign In Now
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
