The University of Mississippi Medical Center issued the following press release:
UMMC TO PAY PENALTY RELATED TO LAPTOP DISAPPEARANCE
JACKSON, Miss. – The University of Mississippi Medical Center has reached an agreement with the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services to settle a matter regarding the disappearance of a laptop computer from UMMC in March of 2013.
After an extended review, OCR found that there were deficiencies in some UMMC policies and procedures intended to protect the confidentiality of personal health information, and that the Medical Center’s follow-up to the disappearance of the laptop was not satisfactorily resolved.
As part of the settlement, UMMC has agreed to pay a civil money penalty of $2.75 million from its health-care operations revenue. An OCR news release about the case, including a link to the resolution agreement, can be found at http://www.hhs.gov/ocr/
The laptop disappeared in March 2013 and is believed to have been stolen. However, there is no evidence that protected health information was accessed or otherwise disclosed.
The laptop was deployed in the adult hospital to a unit and not to an individual. It was used by multiple staff members to, among other things, access a database containing patient records. Even though an individual staff member’s password was required to access UMMC’s computer network via the laptop, the database did not require an individual login.
At the time of the incident, UMMC administrators initiated required procedures, including issuing a news release and placing a public notice on the Medical Center’s websites about the potential breach of confidential patient data. They also notified OCR of the incident and conducted an internal investigation into the laptop’s disappearance.
However, UMMC did not directly notify each individual whose protected health information “was reasonably believed to have been accessed, acquired, used or disclosed as a result of the breach,” which was an expectation of the agency.
As part of the settlement, OCR will require UMMC to implement a corrective action plan during the next three years, including updating its Information Security Policy. The revised policy will include a standard that, following the discovery of a breach of protected health information, UMMC will notify each individual potentially affected by the breach.
UMMC will also be required to demonstrate that each user with access to confidential health information must be individually identifiable, to deter access by unauthorized users.
Under the terms of the agreement, UMMC is not admitting liability and the government is not conceding that UMMC is not in violation of applicable federal regulations.
In the last several years, UMMC has initiated substantial improvements in its information security program. Among other initiatives, the Medical Center is requiring that all laptop computers have encryption software installed, restructured the role and reporting relationships of its Chief Information Security Officer, and brought in an outside firm for a complete assessment and overhaul of its IT security program.
“Our patients should never have to doubt that their privacy is a sacred trust that we are committed to protecting as part of our core ethical values,” said Dr. LouAnn Woodward, vice chancellor for health affairs. “We have learned from this experience and are working hard to ensure that our information security program meets or exceeds the highest standard.”
12 comments:
I wonder who the $2.7 mil goes to and what it will be used for?
That is an expensive lap top.
Perhaps UMMC will take its compliance with federal laws seriously from now on. The OCR doesn't routinely hand out multi-million dollar fines unless there is gross incompetence. This was a simple case for it to resolve. It is widely known that UMMC is underrepresented on healthcare laws.
They have Lord Snow. What else do they need?
Whomever is in charge of UMMC's liability insurance program should be terminated without delay. This is Insurance & Risk Management 101. We can hope, I guess, that he has enough sense to by cyber-liability coverage.
Perhaps Hillary Clinton will take our Federal laws seriously from now on... Aw screw it.
"Under represented on healthcare laws" say what? Please . There is so much bureaucracy and so many bulllshit job titles in that place. Bet the assistant vice chancellor for micro aggression bias response bathroom equality committee chairperson would not have missed it.
How many people ....err ... Did anyone get fired over this ? Oh yea , its UMC, nevermind , dumb question.
Butler Snow farms that work out through a subcontract.
Folks this is going to happen for real one day. This is one of the many crazy parts of Obomacare. Having all the medical records for the entire USA online is just too big a target. It will be hacked one day.
Obamacare didn't do this. The push for electronic medical records started with Bush/Cheney.
Not saying the problem is electronic medical records. As I see it the problem is having all the records connected, I. E. government run healthcare. How much effort would you spend to have UMC patients vs hacking the entire USA?
@12:07- Clearly you have not read the ACA (which was supported by the UMMC Godfather). EHR mandate was passed under Bush, not Obama. This is just another example of UMMC being the most screwed, poorly run entity in our state. It is a shame how much money our tax payers waste on this failing medical center.
Post a Comment