The University of Massachusetts Amherst has agreed to a HIPAA settlement of $650,000 after a breach that occurred in 2013.

SettlementIn June 2013, UMass reported a malware incident where the protected health information (PHI) of 1,670 individuals was impermissibly disclosed. The PHI included social security numbers, names, addresses, dates of birth, diagnoses, procedure codes, and health insurance information. From the OCR statement, “The university determined that the malware was a generic remote access Trojan that infiltrated their system, providing impermissible access to ePHI.” There is no evidence that the information was accessed by a third party.

How did this happen?

UMass is a hybrid entity, meaning it has some departments that are a covered entity and must follow HIPAA regulations, but other departments are not covered entities. This can complicate matters as the Risk Management team must determine what falls under HIPAA and what does not.

In this case, responsible parties failed to designate the UMass Center for Language, Speech, and Hearing as a department that falls under HIPAA. Consequently, the workstation accessed by the malware did not have a firewall.

What now?

The settlement outlines steps UMass will take to rectify the situation. These steps include conducting an enterprise-wide risk analysis, developing and implementing a risk management plan, revising policies and procedures, and training staff on modified policies and procedures. During the investigation, the Office for Civil Rights (OCR) discovered UMass did not conduct a full risk analysis until 2015, which is a significant violation of HIPAA.

In another statement from the OCR, UMass will pay $650,000 in settlement fees, “which is reflective of the fact that the University operated at a financial loss in 2015.” This suggests that the settlement fee might have been higher had UMass profited during 2015.

The takeaway

This HIPAA settlement outlines the importance of the Risk Analysis/Risk Assessment. Most corrective action plans that come out of settlements with the OCR state the organization will conduct a Risk Analysis as the first item. It creates a baseline for all organizations to make decisions on how to better protect PHI. The OCR continues to make clear just how important this step is in HIPAA compliance.

Don’t end up being the poster child like UMass. Use HIPAAgps to get started with your risk assessment today! Don’t leave your organization susceptible to breaches and thousands of dollars in fines.