University of Mississippi Medical Center Fined $2.75 Million Over Alleged HIPAA Compliance Violations

The U.S. Department of Health and Human Services (HHS) continues racking up millions of dollars in the department’s second wave HIPAA enforcement initiative.

In a July settlement with the University of Mississippi Medical Center, the university agreed to pay 2.75 million dollars to resolve HIPAA violations. According to HHS: “During the investigation, OCR [Office for Civil Rights] determined that UMMC was aware of risks and vulnerabilities to its systems as far back as April 2005, yet no significant risk management activity occurred until after the breach, due largely to organizational deficiencies and insufficient institutional oversight.

UMMC will pay a penalty of $2,750,000 and adopt a corrective action plan to help assure future compliance with HIPAA Privacy, Security, and Breach Notification Rules.”

UMMC’s HIPAA Violations

In this case, a stolen laptop was the door opener for HHS’s investigation. According to the department:

“On March 21, 2013, OCR was notified of a breach, after UMMC’s privacy officer discovered that a password-protected laptop was missing from UMMC’s Medical Intensive Care Unit (MICU). UMMC’s investigation concluded that it had likely been stolen by a visitor to the MICU who had inquired about borrowing one of the laptops.

OCR’s investigation revealed that ePHI stored on a UMMC network drive was vulnerable to unauthorized access via UMMC’s wireless network, because users could access an active directory containing 67,000 files after entering a generic username and password.  The directory included 328 files containing the ePHI of an estimated 10,000 patients dating back to 2008.”

Securing Laptops and HIPAA Compliance

Stolen or misplaced laptops are a major source of HIPAA violations. Securing laptops, desk top computers, tablets, and other technology and tracking when they are removed from offices and by whom are key parts of HIPAA compliance.

HIPAA-vigilant organizations should take additional measures to safeguard the privacy of patients’ health care information.

  1. Ensure that you have compliant HIPAA policies and procedures
  2. Implement mandatory, comprehensive HIPAA training for ALL staff.
  3. Ensure that your policies and protocols address protection of laptops, thumb drives, and other devices containing HIPAA-protected information.
  4. Address how you monitor and safeguard the computers, tablets, and other devices that your employees take home or use for work outside the office.

Read some of Bruce Adelson’s other blog posts to learn about more developments in federal compliance and language access law, and be sure to contact us if you’re interested in a consultation about your own organization’s compliance with federal language access law.

© Bruce L. Adelson, special for Bromberg.  2017 All Rights Reserved The material herein is educational and informational only.  No legal advice is intended or conveyed.

Bruce L. Adelson, Esq, CEO of Federal Compliance Consulting LLC is nationally recognized for his compliance expertise concerning many federal laws.  Mr. Adelson is a former U.S Department of Justice Civil Rights Division Senior Attorney. 

Mr. Adelson teaches cultural and civil rights awareness at Georgetown University School of Medicine in Washington, D.C.