HHS Reaches $400,000 Settlement Of Alleged HIPAA Security Rule Violations For Disabling Firewall Protections

more+
less-

The U.S. Department of Health and Human Services (HHS) has reported a $400,000 settlement with Idaho State University (ISU) for alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. The incident giving rise to the investigation by the HHS Office for Civil Rights (OCR) involved a potential exposure of information about 17,500 patients over a ten-month period.

OCR has enforcement authority of the HIPAA Privacy and Security Rules. When a breach is reported to HHS, as required by the breach notification rules, OCR typically initiates an investigation regarding the reporting organization's compliance with the breach notification requirements as well as the state of compliance with the HIPAA Privacy and Security Rules. In this case, OCR concluded that:

(1)  ISU failed to conduct an appropriate risk assessment between April 1, 2007 and November 26, 2012;

(2)  ISU failed to implement adequate security protections during the same time period to protect electronic protected health information (ePHI); and

(3)  ISU did not regularly review information system (IS) activity to determine if ePHI was inappropriately used or disclosed.

These points are all significant and emphasize the importance of a healthcare organization's actions taken to evaluate its risks and appropriately respond to vulnerabilities. Moreover, point three supports OCR's expectation that organizations regularly review IS activity (e.g., audit trails and logging) to determine if there has been an impermissible use or disclosure of ePHI, or if the security protections in place need to be changed.

The Resolution Agreement includes a two-year corrective action plan (CAP) in addition to the monetary settlement. The CAP imposes numerous obligations on ISU, including annual reporting requirements as follows:

(1) summary of the risk management plan, security measures, and training;

(2) summary of IS activity review measures and evidence of training related to those measures;

(3) update on compliance gap analysis activity;

(4) summary of reportable events and corrective/preventative action;

(5) attestation from an ISU officer that the annual report is accurate and truthful.

OCR's 13th resolution agreement demonstrates the priority an organization must place on taking proactive steps to continuously assess and timely respond to risk. In addition, the resolution agreement continues to support the notion that compliance is a C-Suite issue and documentation is critical to support your compliance efforts.

 

Topics:  Cybersecurity, Data Protection, HHS, HIPAA, OCR, Settlement

Published In: Health Updates, Privacy Updates, Science, Computers & Technology Updates

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© BakerHostetler | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »