University of Massachusetts Settles Potential HIPAA Violations Following Malware Infection
December 12th, 2016
The Office of Civil Rights (OCR) division of the U.S. Office of Health and Human Services (HHS) announced in November that the University of Massachusetts at Amherst (UMass) agreed to settle potential violations of HIPAA privacy and security rules. UMass agreed to a monetary payment of $650,000 and a corrective action plan.
According to a news release from OCR, UMass reported in June 2013 that a malware infection at a computer workstation in its Center for Language, Speech, and Hearing led to the disclosure of the names, addresses, Social Security numbers, dates of birth, diagnoses, procedure codes, and other health insurance information on 1,670 individuals. The unauthorized access to electronic protected health information (ePHI) was related to the fact that UMass did not have a firewall in place on that computer, according to OCR.
HIPAA privacy rules allow legal entities to “hybridize” their functions by designating, in writing, their healthcare components that perform functions that are and are not covered by HIPAA. They must then assure the OCR that they are complying with HIPAA in the components so designated. UMass failed to properly designate all of its healthcare components when hybridizing, incorrectly determining that the center was not a covered component. UMass failed to implement the appropriate security measures at the center to guard against unauthorized access to ePHI. Though there is no current evidence that OCR is looking specifically at hybridized entities, this information might lead to hospitals and other providers designating components as covered by HIPAA if there is any chance they might be covered, or to seek the counsel of OCR with regard to a specific entity where HIPAA compliance is not obviously mandated.
The UMass corrective action plan requires the organization to conduct an enterprise-wide risk analysis, develop and implement a risk management plan, revise its policies and procedures, and train its staff on these policies and procedures.