- Following alleged HIPAA violations stemming from a malware infection that potentially exposed the ePHI of 1,670 individuals, the University of Massachusetts Amherst (UMass) agreed to an OCR HIPAA settlement.
Along with adhering to a corrective action plan, UMass will need to pay $650,000. The amount was chosen taking into account that the university operated at a financial loss in 2015, according to the OCR statement.
The incident occurred a malware infection was discovered at a workstation in the UMass Center for Language, Speech, and Hearing (the Center). UMass reported the data security issue on June 18, 2013, and “determined that the malware was a generic remote access Trojan that infiltrated their system, providing impermissible access to ePHI, because UMass did not have a firewall in place.”
Potentially exposed information included names, addresses, Social Security numbers, dates of birth, health insurance information, diagnoses and procedure codes.
OCR determined in its investigation that UMass failed to designate all of its healthcare components when hybridizing. The university incorrectly determined that the Center was in fact a covered healthcare component.
“Because UMass failed to designate the Center a health care component, UMass did not implement policies and procedures at the Center to ensure compliance with the HIPAA Privacy and Security Rules,” OCR explained.
While HIPAA regulations allow for covered entities to “hybridize,” it “must designate in writing the health care components that perform functions covered by HIPAA and assure HIPAA compliance for its covered health care components.”
UMass did also not implement the necessary technical safeguards, according to OCR, and had not conducted an accurate and thorough risk analysis until September 2015.
“HIPAA’s security requirements are an important tool for protecting both patient data and business operations against threats such as malware,” OCR Director Jocelyn Samuels said in a statement. “Entities that elect hybrid status must properly designate their health care components and ensure that those components are in compliance with HIPAA’s privacy and security requirements.”
Per the corrective action plan, UMass must also do the following:
- Conduct an enterprise-wide risk analysis
- Develop and implement a risk management plan
- Revise its policies and procedures
- Train its staff on the policies and procedures
“This Risk Analysis shall incorporate all UMass facilities, whether owned or rented, and evaluate the risks to the ePHI on all of its electronic equipment, data systems, and applications controlled, administered or owned by UMass or any UMass entity, that contain, store, transmit, or receive ePHl,” the action plan explains. “Prior to conducting the Risk Analysis, UMass shall develop a complete inventory of all of its facilities, electronic equipment, data systems, and applications that contain or store ePHI that will then be incorporated into its Risk Analysis.”
The subsequent risk management plan must also include a process and timeline for UMass' implementation, evaluation, and revision of its risk remediation activities, OCR noted.