Idaho State University Pays $400,000 and Agrees to Implement Corrective Action Plan to Resolve Alleged HIPAA Violations


Idaho State University (ISU) has agreed to pay $400,000 to the U.S. Department of Health and Human Services (HHS) and implement a corrective action plan (CAP) to resolve allegations that it violated the HIPAA Security Rule by failing to implement and continually review security policies and procedures.  The settlement involves a breach of unsecured electronic protected health information of 17,500 individuals who were patients at an ISU clinic.

ISU notified the HHS Office for Civil Rights (OCR) of the breach in August 2011, which was the result of disabled firewall protections that left patient records unsecured for approximately ten months.  As a result of the notice, OCR conducted an investigation, and found several alleged HIPAA Security Rule violations.  Specifically, OCR found that between April 2007 and November 2012, ISU failed to conduct an analysis of the risk to confidentiality of ePHI as part of its security management process, did not adequately implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level, and did not adequately implement procedures to regularly review records of information system activity to determine whether ePHI was used or disclosed in an inappropriate manner.     

In addition to paying the $400,000 settlement amount, ISU agreed to implement a corrective action plan with compliance obligations extending through May 13, 2015.  Among other things, the CAP requires ISU to furnish documentation designating it as a “hybrid entity” and to identify all components in its system that have been designated covered health care components, and report to HHS instances of workforce member noncompliance with ISU’s HIPAA Privacy and Security policies and procedures (“Reportable Events”).  The report to HHS must include information such as the name of the individual involved and a description of the event; policies and procedures implicated; and actions taken to address the matter, mitigate harm and prevent recurrence. 

For a copy of the HHS press release, please click here.  For a copy of the Resolution Agreement and Corrective Action Plan, please click here

Reporter, Kerrie S. Howze, Atlanta, +1 404 572 3594,

Written by:

Published In:


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© King & Spalding | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »

All the intelligence you need, in one easy email:

Great! Your first step to building an email digest of JD Supra authors and topics. Log in with LinkedIn so we can start sending your digest...

Sign up for your custom alerts now, using LinkedIn ›

* With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name.