The University of Mississippi (UM) Medical Center (UMMC) agrees to resolve with the U.S. Department of Health and Human Services Officer for Civil rights (OCR) for multiple alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) for amount of $2.75 million. While investigating, OCR informed that UMMC knew about the consequences and risk that might create problems since April 2005, but they have not taken any security or risk management steps until the breach happened. This happened entirely due to the deficiency of work and management from the part of UMMC. Thus to compensate they will pay $2,750,000 and will implement a plan of action which will assure that further, no such instance takes place. They also further should compliance with HIPAA Privacy, Security, and Breach Notification Rules.
OCR on March 21, 2013, was informed about the breach of action when UMMC’s one of the privacy officers found that a laptop which was totally protected by password could not be found anywhere which means in other way could be determined to be missing from the Medical Intensive Care Unit (MICU) of UMMC’s. When UNMC themselves investigated the matter, they found that it might be taken by a visitor who has come to see MICU. OCR also found that in UNMC’s network drive ePHI was stored, which was easily accessible by an unauthorized person with the help of a wireless network of UMMC. The unauthorized people could find all the information from the directory which contains more than 67,000 files very easily as the username and password is very general to imply on. The directory is full of information about ePHI of 10, 000 patients or more than that and about 328 files in it since 2008.
Moreover, OCR disclosed much information about UMMC and their failures like:-
- They didn’t execute proper policies to take prevention, neither took any action nor checked the securities against violations;
- They also not executed any kind of policies nor security manpower in any of the workplaces who will check the unauthorized access of ePHI;
- They also failed to implement a unique name and password for identifying the particular user using the system;
- They failed to even inform the individuals that who will not follow the policy and illegally access the system would consider as a breach of policies.
In entire Mississippi, the only health care centre for the academy is UM, which provides education, research and also take care of the patients. They have four specialized hospitals on the campus of Jackson and have clinics all over in Jackson as well as in the entire State. It is one of the reputed healthcare institutes. The breach which has happened is located on the main UMMC campus in Jackson.
If want to know more about health care laws and other information, privacy rights, civil rights or want to file a complaint kindly visit at http://www.hhs.gov/ocr.