The University of Massachusetts Amherst (UMass) recently settled with the Office for Civil Rights (OCR) for $650,000 to address allegations that UMass violated the Health Insurance Portability and Accountability Act (HIPAA) following a 2013 breach at its Center for Language, Speech, and Hearing (Center). UMass is a hybrid entity for HIPAA purposes, as it is a single legal entity that is a “covered entity” but also has business components that do not undertake “covered functions” subject to HIPAA requirements. In relevant part, OCR’s investigation revealed that UMass had not accurately designated its business components as covered or non-covered. Namely, UMass failed to recognize the Center as a covered component, and, as a result, had not implemented required policies and procedures specific to the Center’s treatment of protected health information.
In addition to the monetary settlement, UMass agreed to a Corrective Action Plan. Among other items, UMass is subject to two years of OCR monitoring and is required to implement HIPAA policies and procedures and training for the Center’s workforce.
TIP: This settlement serves as a reminder that a hybrid entity is required under HIPAA to accurately designate its covered and non-covered components and address each component’s HIPAA obligations accordingly.