Idaho State University Pays $400,000 and Agrees to Implement Corrective Action Plan to Resolve Alleged HIPAA Violations


Idaho State University (ISU) has agreed to pay $400,000 to the U.S. Department of Health and Human Services (HHS) and implement a corrective action plan (CAP) to resolve allegations that it violated the HIPAA Security Rule by failing to implement and continually review security policies and procedures.  The settlement involves a breach of unsecured electronic protected health information of 17,500 individuals who were patients at an ISU clinic.

ISU notified the HHS Office for Civil Rights (OCR) of the breach in August 2011, which was the result of disabled firewall protections that left patient records unsecured for approximately ten months.  As a result of the notice, OCR conducted an investigation, and found several alleged HIPAA Security Rule violations.  Specifically, OCR found that between April 2007 and November 2012, ISU failed to conduct an analysis of the risk to confidentiality of ePHI as part of its security management process, did not adequately implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level, and did not adequately implement procedures to regularly review records of information system activity to determine whether ePHI was used or disclosed in an inappropriate manner.     

In addition to paying the $400,000 settlement amount, ISU agreed to implement a corrective action plan with compliance obligations extending through May 13, 2015.  Among other things, the CAP requires ISU to furnish documentation designating it as a “hybrid entity” and to identify all components in its system that have been designated covered health care components, and report to HHS instances of workforce member noncompliance with ISU’s HIPAA Privacy and Security policies and procedures (“Reportable Events”).  The report to HHS must include information such as the name of the individual involved and a description of the event; policies and procedures implicated; and actions taken to address the matter, mitigate harm and prevent recurrence. 

For a copy of the HHS press release, please click here.  For a copy of the Resolution Agreement and Corrective Action Plan, please click here

Reporter, Kerrie S. Howze, Atlanta, +1 404 572 3594,

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© King & Spalding | Attorney Advertising

Written by:


King & Spalding on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.