[ Monday, December 14, 2015 ]
University of Washington Medicine:
Jeff [7:57 PM]
An employee downloads an email attachment that contains malware, and the PHI of 90,000 patients is exposed (including Social Security Numbers of 15,000 people). The covered entity has policies and procedures requiring the business units to have up-to-date risk assessments and safeguards, but doesn't check to make sure the business units are taking appropriate precautions. If you're the University of Washington Medicine,
that failure gets you a $750,000 fine. Wow.
Key take-away: You must do a risk analysis, and the risk analysis must be system-wide if you're more than a single entity. The more complicated your corporate structure, the more complex your risk analysis should be (or at least make sure you cover all your relevant risk areas/entities).
Blogger: HIPAA Blog - Edit your Template