Idaho State University Ordered to Pay $400K Settlement for HIPAA Breach

Violating HIPAA regulations can incur harsh penalties, as discovered by Idaho State University this month. The institution has recently been forced to settle with the Department of Health and Human Services’ Office of Civil Rights for alleged violations of the HIPAA Privacy Rule. Fines were issued for HIPAA non-compliance issues relating to network security; inadequacies which exposed sensitive patient health information to third parties.

ISU had implemented the required control measures to prevent health data from being accessible by unauthorized personnel, although it failed to perform checks to ensure that the security measures it had implemented had remained in place.

The security breach occurred when the Pocatello Family Medicine Clinic disabled the firewall that was protecting a server containing medical health records of 17,500 its patients. The firewall was inactive for a period of 10 months leaving the data exposed and potentially accessible to unauthorized third parties for an unacceptable period of time.

According to the HHS, ISU operates 29 outpatient clinics and is bound by HIPAA regulations to protect electronic health records at up to 8 of its centers. The breach occurred at one of the centers where ISU was required to have information technology security systems in place.

When ISU identified the breach in August 2011 it issued a breach notification and the Office for Civil Rights conducted an investigation which commenced in November 2011. The investigation confirmed the security breach due to the deactivated firewall, and also found that inadequate risk analyses had been conducted at the clinics over a period of three years.

The OCR also determined that insufficient action was taken to address future risks: Implementing procedures to protect data is insufficient in itself. Policies and procedures need to be regularly revisited to ensure that vulnerabilities do not develop.

If the procedures, policies and system been reviewed as required under the HIPAA Security Rule, ISU would have identified the deactivated firewall and could have taken prompt action to address the issue. While the security issue may not have been prevented, the length of time the data was exposed would certainly have been limited.

According to OCR Director, Leon Rodriguez, “Risk analysis, ongoing risk management, and routine information system reviews are the cornerstones of an effective HIPAA security compliance program.”

In addition to having to pay the $400,000 settlement, ISU has agreed to implement an action plan which involves a thorough assessment of all policies and procedures to ensure that any remaining vulnerabilities are identified and addressed.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.