Poor IT Practices Lead to Large Penalty
Question: Why was the University of Mississippi Medical Center fined $2.75 million when no patient information was proved to have been accessed?
Answer: The University of Mississippi Medical Center paid a $2.75 million penalty to the Office for Civil Rights (“OCR”) as part of an agreement to resolve security problems found after the 2013 disappearance of a laptop computer that contained health information for as many as 10,000 people. An investigation by the medical center revealed that a visitor to the intensive care unit probably stole the laptop after asking to borrow it. OCR concluded that because the laptop could access the medical center’s wireless network, whoever took it could obtain private health information after merely entering a generic user name and password. The medical center is adamant that there is no evidence that health information was accessed or disclosed and officials thought they had taken appropriate steps to publicize the loss as per HIPAA requirements. However, the medical center did not attempt to notify people individually, claiming that they did not have enough information to try to notify people individually. The federal agency disagreed, saying the medical center should have tried to notify individuals. The OCR was also highly critical of the medical center for not doing enough to secure records and allowing ICU workers to use the laptop without individual user names. OCR noted that the medical center had been aware of some weaknesses as early as 2005. Jocelyn Samuels, director of the OCR, said in a statement that the “OCR remains particularly concerned with unaddressed risks that may lead to impermissible access.” A 14 page agreement between the agency and the medical center also lays out a series of other reforms, including requirements that the medical center designate a person to monitor compliance, draw up a risk management plan across the entire 10,000 employee hospital system, and update its information security policies and its procedures for notifying people about breaches. The medical center also must assign employees individual user names and report to the OCR for three years under the agreement.
Weekly Charting Tip:

Make sure that when you record a prescription given for a patient, it not only has the name of the medication, but the dosage, how many to take, and how and when as well as the number being dispensed! Also note why any changes have been made to the prescription, such as dosage or frequency and note that it is a change from the prior prescription.  - Larry Kobak, Esq.

If you have any questions, please contact us at 1-800-445-0954 or via email at info@DrLaw.com.


We wanted to bring you a step closer to total legal coverage. We thought you deserved more. Email us at info@ThePAP.com for more details.
At Kern Augustine, P.C., we have been opposing the harassment of physicians for over thirty years. Day-in and day-out our team of highly skilled, nationally recognized attorneys battles federal and state regulators and third party payors who seek to punish, harass, investigate and/or prosecute physicians. We remain on the cutting edge of ever changing rules and regulations affecting health care practitioners and the intricacies of today’s health law.
Put Kern Augustine, P.C. on your side with the Physician Advocacy Program®

Kern Augustine, P.C., Attorneys to Health Professionals, DrLaw.com, is solely devoted to the representation of physicians and other health care professionals.