Idaho State University will pay $400,000 to the U.S. Department of Health Human Services to settle alleged violations of the HIPAA Security Rule. The settlement comes after ISU’s Pocatello Family Medicine Clinic disabled server firewall protections for a period of at least 10 months, resulting in the breach of electronic protected health information for 17,500 patients.
ISU operates 29 outpatient clinics and is required to provide health information technology systems security at those clinics. Between four and eight of the ISU clinics are subject to the HIPAA Privacy and Security Rules, including the clinic where the breach occurred, HHS officials say.
The HHS Office for Civil Rights opened an investigation in November 2011 after ISU's August 2011 notification of the breach, which resulted from disabling of firewall protections at servers maintained by ISU. Over the course of the investigation, agency officials say it found that, for more than three years, ISU’s risk analyses and assessments of its clinics were incomplete and inadequately identified potential risks or vulnerabilities. ISU also failed to assess the likelihood of potential risks occurring.
OCR concluded that ISU did not apply proper security measures and policies to address risks to ePHI and did not have procedures for routine review of its information system in place, which could have detected the firewall breach much sooner.
“Risk analysis, ongoing risk management, and routine information system reviews are the cornerstones of an effective HIPAA security compliance program,” said OCR Director
Leon Rodriguez, in a May 21 press statement. “Proper security measures and policies help mitigate potential risk to patient information.”
ISU has agreed to a comprehensive corrective action plan to address the issues uncovered by the investigation and its failure to ensure uniform implementation of required HIPAA Security Rule protections at each of its covered clinics.
To date, OCR has collected $15.3 million relating to HIPAA violations and settlements.
“The real purpose of breach notification is for covered entities to identify the vulnerabilities that resulted in the breach, (and) remedy those vulnerabilities in an immediate and decisive manner,” said Rodriguez, in a HIPAA session at HIMSS13. “And also for us to learn from those breach reports where those vulnerabilities are.”
Rodriguez pointed out that although some 65,000 breach reports have been filed with the OCR since 2009, only a handful of those have resulted in enforcement action.
With that said, lax policies, irresponsible behavior and the lack of proper risk analyses are nothing to joke about. Some groups have had to pay serious money for improperly handling data breaches. “We are now at a point where we have collected a total of over $15 million from our enforcement activity,” said Rodriguez, with the lion’s share coming from resolution agreements with the covered entity.
He cited the case of Alaska Department of Health and Social Services, which handed over $1.7 million to the OCR in June relating to a stolen USB device containing the personal health information of some 2,000 patients. This is not the typical fine, however, Rodriguez added. “A lot of the deficiencies and violations that we identified in that case,” he said, “continued well beyond the reported breach, and there was weak evidence of an effort to remedy that breach.”
Just this January, in what's been billed as the first HIPAA breach settlement involving fewer than 500 patients, Hospice of North Idaho paid $50,000 to the Department of Health and Human Services, settling potential HIPAA violations stemming from a 2010 incident. After an unencrypted company laptop containing the electronic protected health information of 441 patients had been stolen in June 2010, officials at the HHS Office for Civil Rights began its investigation and found that HONI had not conducted adequate risk analysis to safeguard patient ePHI.