The Department of Health and Human Services (HHS) released a resolution agreement yesterday for Idaho State University’s (ISU) HIPAA violations that date back to Aug. 9, 2011. Because ISU’s Pocatello Family Medicine Clinic exposed 17,500 patients’ data by disabling a firewall for at least 10 months, it will pay HHS $400,000 in penalties.
HHS notified ISU of its investigation regarding ISU’s Privacy, Security and Breach Notification Rule compliance on Nov. 22, 2011 and cited these “covered conduct violations” in the resolution agreement as reasons for fining ISU.
- ISU did not conduct an analysis of the risk to the confidentiality of ePHI as part of its security management process from April 1, 2007 until November 26, 2012;
- ISU did not adequately implement security measures sufficient to reduce the risks and vulnerabilities to a reasonable and appropriate level from April 1, 2007 until November 26, 2012
- ISU did not adequately implement procedures to regularly review records of information system activity to determine if any ePHI was used or disclosed in an inappropriate manner from April 1, 2007 until June 6, 2012.
ISU has entered into a Corrective Action Plan (CAP) agreement with HHS that will include these elements:
1. ISU shall provide HHS with documentation designating it a hybrid entity and identifying all of its components that have been designated covered health care components within 30 days of the Effective Date.
1. ISU shall provide HHS with its most recent risk management plan that includes specific security measures to reduce the risks and vulnerabilities to a reasonable and appropriate level for all of its covered health care components. ISU shall provide the risk management plan to HHS within 30 days of the Effective Date for review and approval.
2. Upon receiving notice from HHS either approving or specifying any required changes, ISU shall make the required changes accordingly and promptly implement the risk management plan, including any applicable training, in accordance with its applicable administrative procedures.
Information System Activity Review
1. ISU shall provide HHS with documentation of implementation of its policies and procedures regarding information system activity review across all of its covered healthcare component clinics. ISU shall provide the documentation to HHS within 60 days of the Effective Date for review and approval.
2. Upon receiving any required changes to such implementation from HHS, ISU shall have 30 days to revise its implementation strategy and provide it to HHS for review and approval. ISU shall provide documentation of implementation, including any applicable training, within 30 days of receipt of HHS’ approval.
Compliance Gap Analysis
1. ISU shall provide documentation of its updated compliance gap analysis activity entitled Post Incident Risk Assessment, as specified by HHS, indicating changes in compliance status regarding each Security Rule provision. Such documentation shall include, but is not limited to, a copy of the contingency plan and the documents implementing the contingency plan as well as a listing of all technical safeguards implemented and the documents implementing the technical safeguards, across its covered health care component clinics, within 30 days of the Effective Date.
For a period of two (2) years from the Effective Date of this Agreement (the “Reporting Period”), ISU shall, upon receiving information that a workforce member may have failed to comply with its Privacy and Security policies and procedures, promptly investigate the matter. If ISU, after review and investigation, determines that a member of its workforce has failed to comply with its Privacy and Security policies and procedures, ISU shall notify HHS in writing within 30 days from the date ISU made its determination. Such violations shall be known as “Reportable Events.” The report to HHS shall include the following:
A. A complete description of the event, including the relevant facts, the persons involved, and the provision(s) of ISU’s Privacy and Security policies and procedures implicated; and
B. A description of the actions taken and any further steps ISU plans to take to address the matter, to mitigate any harm, and to prevent it from recurring, including the application of appropriate sanctions against workforce members who failed to comply with its Privacy and Security policies and procedures.
2. If no Reportable Events have occurred within the two (2) year Reporting Period, ISU shall so inform HHS in writing within thirty (30) days of the conclusion of the Reporting Period.
ISU includes 29 outpatient clinics and 4-8 of those clinics are subject to the HIPAA Privacy and Security Rules, including the clinic where the breach occurred. It’s important to note that this agreement is not an admission of liability by ISU and not a concession by HHS that ISU is not in violation of either the Privacy Rule or the Security Rule and that ISU is not liable for civil money penalties.