JACKSON, Miss. - The University of Mississippi Medical Center has reached an agreement with the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services to settle a matter regarding the disappearance of a laptop computer from UMMC in March of 2013.
After an extended review, OCR found that there were deficiencies in some UMMC policies and procedures intended to protect the confidentiality of personal health information, and that the Medical Center's follow-up to the disappearance of the laptop was not satisfactorily resolved.
As part of the settlement, UMMC has agreed to pay a civil money penalty of $2.75 million from its health-care operations revenue. An OCR news release about the case, including a link to the resolution agreement, can be found at http://www.hhs.gov/ocr/newsroom/index.html.
The laptop disappeared in March 2013 and is believed to have been stolen. However, there is no evidence that protected health information was accessed or otherwise disclosed.
The laptop was deployed in the adult hospital to a unit and not to an individual. It was used by multiple staff members to, among other things, access a database containing patient records. Even though an individual staff member's password was required to access UMMC's computer network via the laptop, the database did not require an individual login.
At the time of the incident, UMMC administrators initiated required procedures, including issuing a news release and placing a public notice on the Medical Center's websites about the potential breach of confidential patient data. They also notified OCR of the incident and conducted an internal investigation into the laptop's disappearance.
However, UMMC did not directly notify each individual whose protected health information “was reasonably believed to have been accessed, acquired, used or disclosed as a result of the breach,” which was an expectation of the agency.
As part of the settlement, OCR will require UMMC to implement a corrective action plan during the next three years, including updating its Information Security Policy. The revised policy will include a standard that, following the discovery of a breach of protected health information, UMMC will notify each individual potentially affected by the breach.
UMMC will also be required to demonstrate that each user with access to confidential health information must be individually identifiable, to deter access by unauthorized users.
Under the terms of the agreement, UMMC is not admitting liability and the government is not conceding that UMMC is not in violation of applicable federal regulations.
In the last several years, UMMC has initiated substantial improvements in its information security program. Among other initiatives, the Medical Center is requiring that all laptop computers have encryption software installed, restructured the role and reporting relationships of its Chief Information Security Officer, and brought in an outside firm for a complete assessment and overhaul of its IT security program.
“Our patients should never have to doubt that their privacy is a sacred trust that we are committed to protecting as part of our core ethical values,” said Dr. LouAnn Woodward, vice chancellor for health affairs. “We have learned from this experience and are working hard to ensure that our information security program meets or exceeds the highest standard.”