Office for Civil Rights/University of Washington Medicine's $750,000 HIPAA Settlement

Covered Entities are defined in the HIPAA rules as a) health care providers who transmit any health information electronically in connection with transactions, b) health plans, and c) health care clearinghouses. The University of Washington Medicine (UWM) is a Covered Entity, which includes the University of Washington Medical Center (UWMC), the primary hospital of education for UWM. A breach was reported on 11/27/2013 of UWM, which included the exposure of electronic protected health information (e-PHI) for roughly 90,000 individuals. The breached e-PHI ranged from a combination of patient names, medical record numbers, dates of service, charges/bill balances, addresses, phone numbers, dates of birth, social security numbers, insurance identification, and Medicare numbers. The breach occurred after an employee downloaded an email attachment containing malicious malware that compromised the organization’s IT systems.

The investigation conducted by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) found that not all affiliates of UWM were adopting the organization-wide policies and procedures, including the process of completing system-level risk assessments, and retaining documentation. Furthermore, UWM did not make reasonable efforts to ensure that all affiliates were adopting and executing its policies and procedures. Failure to ensure that these controls were in place and implement policies and procedures to prevent, detect, contain, and correct security violations ultimately led to a monetary settlement of $750,000, a corrective action plan, and annual reports on the organization’s compliance efforts. The settlement was based on the civil money penalty (CMP) structure prescribed by the HITECH Act (2009) and enacted by the Omnibus Final Rule (2013). The CMP structure is based on a tiered system related to each level of culpability (Unknowing, Reasonable Cause, Willful Neglect – Corrected, Willful Neglect – Not Corrected). Each violation (or e-PHI record) may account for up to $50,000 in CMP, capped at $1,500,000 for violations of an identical provision in a calendar year. Unfortunately, the OCR does not discriminate or show mercy for small organizations. The size and stature of a company has no effect on the CMP structure. Rather, CMP is based on the amount of e-PHI/PHI compromised in the breach and the culpability level of the violator in response to the breach.

How to Protect Your Organization from a Data Breach

  • Implement preventative, detective, and corrective controls and review/audit your controls regularly.
  • Test your control environment against the HHS OCR HIPAA Audit Protocol using an independent third party.
  • Complete an organization-wide security risk assessment on at least an annual basis. Consider utilizing the Security Risk Assessment Tool  provided by the HHS OCR and HHS Office of the General Counsel (OCG).
  • Require organization-wide Information Security awareness training and ensure compliance to training, to prevent costly errors.
  • Implement a third-party risk management program to manage your business associates, gain assurance over their control environment, monitor your sensitive data, and baseline service levels.  Be sure to ask your business associates if they have a SOC report available over their services, to validate that their controls are operating effectively.

Contact us if you are interested in learning more about SOC reports and visit our website to learn more about the services that Schneider Downs provides.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2020 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on

AICPA Provides Guidance for COVID-19 Considerations in a SOC Examination
Audit, SOC, Technology BY Troy Fine
Amazon Web Services (AWS) Best Practices For a Successful SOC 2 Examination
Audit, SOC, Technology BY Sara Hudak
SOC 2 + HITRUST vs. HITRUST Certified CSF reports - the Fundamentals
SOC 2 Considerations When Moving to a Remote Workforce
SOC BY Eric Davis
SOC Control Optimization and Efficiencies
SOC 2 Examinations - Keys to Success

Register to receive our weekly newsletter with our most recent columns and insights.

Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us

contact us

Map of Pittsburgh Office

One PPG Place, Suite 1700
Pittsburgh, PA 15222
p:412.261.3644     f:412.261.4876

Map of Columbus Office

65 East State Street, Suite 2000
Columbus, OH 43215
p:614.621.4060     f:614.621.4062

Map of Washington Office
Washington, D.C.

1660 International Drive, Suite 600
McLean, VA 22102