Idaho State University (ISU), which operates 29 outpatient clinics, recently agreed to pay $400,000 to the U.S. Department of Health and Human Services
(HHS) to settle its alleged violations of the Security Rule promulgated pursuant to the Health Insurance Portability and Accountability Act of 1996
The ISU settlement involves a breach of the unsecured electronic protected health information (ePHI) of approximately 17,500 patients at ISU’s Pocatello
Family Medicine clinic. The HHS Office for Civil Rights (OCR) opened an investigation in November 2011 after ISU notified OCR in August 2011 about a breach
due to the disabling of certain firewall protections at servers maintained by ISU. As a result of the disabling of these firewall protections, the ePHI of
approximately 17,500 patients, which was maintained by ISU, was unsecured for a period of at least 10 months.
Specifically, OCR’s investigation revealed that (1) ISU did not conduct an analysis of the risk to the confidentiality of ePHI as part of its security
management process from April 1, 2007, until Nov. 26, 2012; (2) ISU did not adequately implement security measures sufficient to reduce the risks and
vulnerabilities to a reasonable and appropriate level from April 1, 2007, until Nov. 26, 2012; and (3) ISU did not adequately implement procedures to
regularly review records of information system activity to determine if any ePHI was used or disclosed in an inappropriate manner from April 1, 2007, until
June 6, 2012.
ISU has agreed to a two-year comprehensive corrective action plan to address the issues uncovered by OCR’s investigation, which requires ISU to (1) provide
HHS with documentation designating it as a hybrid entity and identifying all its designated covered healthcare components; (2) provide its risk management
plan to HHS; (3) submit records pertaining to the implementation of its information system activity review across its covered healthcare components; (4)
conduct and document a compliance gap analysis; and (5) investigate and report any violation of its HIPAA privacy and security policies and procedures to
HHS within 30 days of the investigation.
The recent ISU settlement is another example of increased HIPAA enforcement. Covered entities should take note that OCR is increasingly imposing
significant penalties in response to HIPAA noncompliance.