HHS Reaches $400,000 Settlement Of Alleged HIPAA Security Rule Violations For Disabling Firewall Protections


The U.S. Department of Health and Human Services (HHS) has reported a $400,000 settlement with Idaho State University (ISU) for alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. The incident giving rise to the investigation by the HHS Office for Civil Rights (OCR) involved a potential exposure of information about 17,500 patients over a ten-month period.

OCR has enforcement authority of the HIPAA Privacy and Security Rules. When a breach is reported to HHS, as required by the breach notification rules, OCR typically initiates an investigation regarding the reporting organization's compliance with the breach notification requirements as well as the state of compliance with the HIPAA Privacy and Security Rules. In this case, OCR concluded that:

(1)  ISU failed to conduct an appropriate risk assessment between April 1, 2007 and November 26, 2012;

(2)  ISU failed to implement adequate security protections during the same time period to protect electronic protected health information (ePHI); and

(3)  ISU did not regularly review information system (IS) activity to determine if ePHI was inappropriately used or disclosed.

These points are all significant and emphasize the importance of a healthcare organization's actions taken to evaluate its risks and appropriately respond to vulnerabilities. Moreover, point three supports OCR's expectation that organizations regularly review IS activity (e.g., audit trails and logging) to determine if there has been an impermissible use or disclosure of ePHI, or if the security protections in place need to be changed.

The Resolution Agreement includes a two-year corrective action plan (CAP) in addition to the monetary settlement. The CAP imposes numerous obligations on ISU, including annual reporting requirements as follows:

(1) summary of the risk management plan, security measures, and training;

(2) summary of IS activity review measures and evidence of training related to those measures;

(3) update on compliance gap analysis activity;

(4) summary of reportable events and corrective/preventative action;

(5) attestation from an ISU officer that the annual report is accurate and truthful.

OCR's 13th resolution agreement demonstrates the priority an organization must place on taking proactive steps to continuously assess and timely respond to risk. In addition, the resolution agreement continues to support the notion that compliance is a C-Suite issue and documentation is critical to support your compliance efforts.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© BakerHostetler | Attorney Advertising

Written by:


BakerHostetler on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.