A malware infection cost the University of Massachusetts Amherst (UMass) $650,000 for potential HIPAA violations, and the school must comply with a corrective action plan.

The breach was blamed, in part, on the university’s failure to consider the location of its healthcare facilities, which left it without the HIPAA security provided to other sites on campus.

UMass reported to the U.S. Department of Health and Human Services Office for Civil Rights (OCR) on June 18, 2013, that a workstation in its Center for Language, Speech, and Hearing was infected with a malware program that compromised the electronic protected health information (ePHI) of 1,670 individuals, including names, addresses, Social Security numbers, dates of birth, health insurance information, diagnoses, and procedure codes. The university determined the malware was a generic remote access Trojan that infected the system because UMass did not have a firewall in place.

In addition to lacking a firewall, the OCR investigation revealed that the university had misclassified the language center as outside the scope of HIPAA requirements. UMass failed to designate all its healthcare components when hybridizing, OCR concluded, incorrectly determining that while its University Health Services was a covered healthcare component, other components, including the center where the breach of ePHI occurred, were not covered components.

“Because UMass failed to designate the center a healthcare component, UMass did not implement policies and procedures at the center to ensure compliance with the HIPAA Privacy and Security Rules,” according to the OCR report.

The HIPAA Privacy Rule permits legal entities that provide some functions that are covered by HIPAA and some that are not to elect to become a “hybrid entity.” To successfully “hybridize,” the entity must designate in writing the healthcare components that perform functions covered by HIPAA and assure HIPAA compliance for its covered healthcare components, the OCR report explains.

OCR also noted that UMass did not conduct an accurate and thorough risk analysis until September 2015.

In addition to the monetary settlement, UMass agreed to a corrective action plan that requires the organization to conduct an enterprise-wide risk analysis, develop and implement a risk management plan, revise its policies and procedures, and train its staff on these policies and procedures. The Resolution Agreement and Corrective Action Plan is available online at: http://go.cms.gov/2geW3DL.