The University of Massachusetts Amherst has agreed to pay $650,000 and implement a corrective action plan as part of a settlement over allegations that it violated the Health Insurance Portability and Accountability Act (HIPAA) of 1996.
The incident reportedly occurred back in 2013, when the University experienced a relatively small breach linked to malicious software. At this time, University officials said a workstation in its Center for Language, Speech and Hearing had become infected with malware, which resulted in the disclosure of personal health information of 1,670 individuals. Some of the personal information disclosed during the breach included names, birth dates, health insurance account numbers, diagnoses, addresses and Soecial Security Numbers.
After the breach was reported, OCR began an investigation into the incident to determine whether or not the University had been at fault. Investigators found that the University failed to designate its healthcare components when hybridizing; failed to implement the necessary technical secyrity measured to guard against unauthorized access of ePHI; and it failed to conduct an accurate and thorough risk analysis until September 2015.
These are all pretty common violations – and UMass certainly isn't the first covered entity to be cited for them, nor will it be the last. Doctors and other covered entities should learn a lesson from this incident, and that is to implement the appropriate safeguards for ePHI and conduct regular risks assessments and risk analyses.
The OCR has stepped up its HIPAA enforcement efforts in recent months, which is apparent from all of the newsworthy cases like the one involving UMass. But violations such as these are easily avoided if you take the time to comply with HIPAA and its rules.
UMass has agreed to pay $650,000 to settle this HIPAA-related incident. In addition, the University must also implement a correct action plan, which includes a risk analysis, risk management plan, revision of its policies and procedures, and the retraining of staff on these new policies and procedures.
“HIPAA’s security requirements are an important tool for protecting both patient data and business operations against threats such as malware,” said OCR Director Jocelyn Samuels when announcing the settlement. “Entities that elect hybrid status must properly designate their health care components and ensure that those components are in compliance with HIPAA’s privacy and security requirements.”
To learn more about the UMass HIPAA settlement, check out the official press release published on the Department of Health and Human Services (HHS) website.