UMass to Pay OCR $650K to Resolve HIPAA Violations

The Department of Health and Human Services’ Office for Civil Rights (OCR) has agreed to a $650,000 settlement with University of Massachusetts Amherst (UMass). The settlement resolves HIPAA violations that contributed to the university experiencing a malware infection in 2013.

In early 2013, malware was installed on a workstation in the Center for Language, Speech, and Hearing. The infection resulted in the impermissible disclosure of the electronic protected health information of 1,670 individuals. Those individuals had their names, addresses, social security numbers, birth dates, health insurance information, diagnoses, and procedure codes disclosed to the actors behind the malware attack.

Following the discovery of the infection in 2013, UMass conducted a detailed analysis of the infected workstation. The malware was a generic remote access Trojan and infection occurred because the workstation was not protected by a firewall. UMass ascertained that access to ePHI had been gained.

OCR investigates all data breaches that impact more than 500 individuals to determine whether breached entities have complied with the HIPAA Privacy, Security, and Breach Notification Rules and whether breaches have occurred as a result of HIPAA violations. According to the resolution agreement, OCR was notified of the breach by UMass on June 4, 2013 and an investigation was launched on August 27, 2013.

OCR investigators discovered a number of areas of non-compliance with HIPAA Rules that directly contributed to the UMass data breach.

As a hybrid entity, UMass is only required to comply with HIPAA Rules for some of its components – Those that meet the definition of a covered entity or business associate under HIPAA definitions. UMass had implemented appropriate safeguards to protect the confidentiality, integrity, and availability of ePHI for its University Health Services component; but those same controls were not used for the Center for Language, Speech, and Hearing as UMass did not designate it as a healthcare component.

According to OCR, “To successfully “hybridize,” the entity must designate in writing the health care components that perform functions covered by HIPAA and assure HIPAA compliance for its covered health care components.”

This error meant that UMass did not conduct a HIPAA-compliant risk analysis at the Center. A risk analysis was eventually performed, but not until September 2015. UMass also failed to implement technical security measures to protect the Center’s network and prevent unauthorized ePHI access.

The HIPAA violations could have resulted in a much higher financial penalty but OCR took the University’s finances into account. OCR said the settlement “is reflective of the fact that the University operated at a financial loss in 2015.”

OCR Director Jocelyn Samuels announced the settlement and explained that “HIPAA’s security requirements are an important tool for protecting both patient data and business operations against threats such as malware,” Samuels went on to say “Entities that elect hybrid status must properly designate their health care components and ensure that those components are in compliance with HIPAA’s privacy and security requirements.”

UMass agreed to the settlement with no admission of liability. UMass will pay a $650,000 penalty and will adopt a corrective action plan (CAP) to ensure policies and procedures are brought in line with the minimum standards required under the Health Insurance Portability and Accountability Act.

The CAP requires UMass to conduct a comprehensive risk analysis of all equipment, systems and applications that are used to access or store ePHI to ensure all risks to the confidentiality, integrity, and availability of ePHI are identified.

An enterprise-wide risk management plan must also be developed to address all risks to ePHI that are identified by the risk analysis. A full review of policies and procedures must also take place to ensure they comply with Federal standards, and all staff members must be provided with training on those policies and procedures after they have been approved by OCR.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.