Settlement for Alleged Violation of HIPAA Security Rule Costs Idaho State University $400,000

May 30, 2013

Idaho State University (ISU), which operates 29 outpatient clinics, recently agreed to pay $400,000 to the U.S. Department of Health and Human Services (HHS) to settle its alleged violations of the Security Rule promulgated pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

The ISU settlement involves a breach of the unsecured electronic protected health information (ePHI) of approximately 17,500 patients at ISU’s Pocatello Family Medicine clinic. The HHS Office for Civil Rights (OCR) opened an investigation in November 2011 after ISU notified OCR in August 2011 about a breach due to the disabling of certain firewall protections at servers maintained by ISU. As a result of the disabling of these firewall protections, the ePHI of approximately 17,500 patients, which was maintained by ISU, was unsecured for a period of at least 10 months.

Specifically, OCR’s investigation revealed that (1) ISU did not conduct an analysis of the risk to the confidentiality of ePHI as part of its security management process from April 1, 2007, until Nov. 26, 2012; (2) ISU did not adequately implement security measures sufficient to reduce the risks and vulnerabilities to a reasonable and appropriate level from April 1, 2007, until Nov. 26, 2012; and (3) ISU did not adequately implement procedures to regularly review records of information system activity to determine if any ePHI was used or disclosed in an inappropriate manner from April 1, 2007, until June 6, 2012.

ISU has agreed to a two-year comprehensive corrective action plan to address the issues uncovered by OCR’s investigation, which requires ISU to (1) provide HHS with documentation designating it as a hybrid entity and identifying all its designated covered healthcare components; (2) provide its risk management plan to HHS; (3) submit records pertaining to the implementation of its information system activity review across its covered healthcare components; (4) conduct and document a compliance gap analysis; and (5) investigate and report any violation of its HIPAA privacy and security policies and procedures to HHS within 30 days of the investigation.

The recent ISU settlement is another example of increased HIPAA enforcement. Covered entities should take note that OCR is increasingly imposing significant penalties in response to HIPAA noncompliance.