Yesterday, the Office of Civil Rights (OCR) announced a $650,000 settlement with the University of Massachusetts Amherst (UMass).
The UMass health system includes a Center for Language, Speech, and Hearing. UMass did not designate the Center as a covered entity that must comply with HIPAA - and excluded the Center from its HIPAA security program. As a result, a firewall was not in place to protect the Center from malware. A malware program infiltrated a Center workstation, disclosing 1,670 patients' PHI.
What did the OCR find?
After UMass self reported the data breach, OCR investigated. In addition to the lack of firewalls, the OCR found that UMass failed to properly designate all components of its hybrid entity system. In other words, UMass decided that the Center was not subject to HIPAA, and that decision was incorrect.
The OCR also determined that UMass' first thorough HIPAA security risk assessment was conducted in September 2015 - two years after this breach was self reported.
Isn't this penalty pretty low?
Yes. Recent HIPAA settlements have reached as high as $5.55 million, which makes this settlement appear relatively low. The OCR advised that this settlement - $650,000 - "is reflective of the fact that the University operated at a financial loss in 2015." If UMass' financial position had been stronger, this settlement amount could have been higher.
What can we do?
Make HIPAA security risk assessments a top priority. If you haven't assessed in a year, now's the time. If you have had a technology change since your last assessment, now's the time. If you have changed the way you do business, or the way you access, use or transmit PHI, now's the time.
A thorough risk assessment is an opportunity to identify all lines of business that are subject to HIPAA. It is also an opportunity to verify that safeguards are sufficient and risks are mitigated.
Even if your security risk assessment is up to date, use this settlement to your advantage and ask: do we have firewalls in place? Everyone in a HIPAA or compliance leadership position should be able to answer this question. Hopefully, someone on the board will ask you this very question.