Summary

On November 22, 2016, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced that University of Massachusetts Amherst (UMA) agreed to settle allegations relating to the HIPAA Privacy and Security Rules for $650,000 and enter into a corrective action plan (CAP). This is the 13th settlement announced by OCR in 2016. The fines imposed by OCR this year from these settlements total almost $24 million.

In June 2013, UMA reported that a workstation in its Center for Language, Speech and Hearing (Center) was infected with malware. UMA determined that the malware was a generic remote access Trojan that was able to infiltrate UMA’s information technology system because UMA did not have a firewall in effect. The malware resulted in the impermissible disclosure of electronic protected health information (ePHI) of approximately 1,670 individuals.

OCR stated that its investigation of the UMA malware incident revealed the following:

• UMA did not include each necessary HIPAA covered component in its hybrid entity designation, including the Center.  Because the Center was not included within the hybrid entity designation, UMA did not implement policies and procedures for HIPAA Privacy and Security compliance at the Center;
• UMA did not conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity and availability of all of its ePHI; and
• UMA did not implement technical security measures at the Center to ensure that firewalls were in place.

The CAP entered into by UMA as part of the Resolution Agreement provides that UMA will do each of the following:

• conduct a comprehensive risk analysis of its ePHI that will be shared with OCR for OCR’s approval;
• develop an enterprise-wide risk management plan to address and mitigate security risks and vulnerabilities identified in the risk analysis that will be shared with OCR for its approval;
• review and revise, as necessary, the Center’s HIPAA written policies and procedures and share them with OCR for its approval; and
• distribute the Center’s revised HIPAA policies with the Center’s workforce and provide training for these individuals with respect to these policies.  

The Resolution Agreement, CAP and OCR press release may be found here.

Important Takeaways and Next Steps

It is critically important for universities and other entities that have diverse (HIPAA and non-HIPAA governed) activities to ensure that they have appropriately created their hybrid entity designations and that each HIPAA covered component is included in the hybrid entity designation.  Universities should not overlook “smaller” clinics and health care operations on the university campus in designating their covered components. The hybrid entity designated components must be updated as appropriate.  

OCR continues to prioritize the importance of HIPAA Security Rule compliance in recent settlements.  Malware can affect any institution – no matter its size.  In order to protect ePHI, covered entities and business associates should regularly review HIPAA Privacy, Security and Breach Notification policies, undertake an enterprise-wide risk analysis, and thereafter implement and maintain an appropriate risk management plan.

OCR’s announcement of settlements with covered entities and business associates have averaged more than one per month during 2016.  OCR inferred in its press release that it would have required a higher settlement payment from UMA were it not for the fact that UMA operated at a financial loss in 2015.