On November 22, 2016, the Department of Health and Human Services (“HHS”) announced a $650,000 settlement with University of Massachusetts Amherst (“UMass”), resulting from alleged violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy and Security Rules.

On June 18, 2013, UMass reported to HHS’ Office for Civil Rights (“OCR”) that one of its computer systems at its Center for Language, Speech, and Hearing (the “Center”) had been infected by a malware program, resulting in the unauthorized disclosure of electronic protected health information (“ePHI”) of 1,670 individuals, including names, addresses, Social Security numbers, dates of birth, health insurance information, diagnoses and procedure codes. OCR investigated and discovered that:

  • As a “hybrid” entity, UMass failed to designate all of its health care components that fall within the scope of HIPAA, incorrectly determining that some components, including the Center where the breach occurred, were not covered components. Because UMass did not designate the Center as a covered health care component, UMass failed to implement policies and procedures at the Center to ensure compliance with the HIPAA Privacy and Security Rule.
  • UMass did not have firewalls in place to guard against unauthorized access to ePHI transmitted over an electronic communications network.
  • UMass did not conduct an accurate and thorough risk analysis until September 2015.

The resolution agreement requires UMass to pay $650,000 to OCR, which is reflective of the fact that UMass operated at a financial loss in 2015. The resolution agreement also requires UMass to enter into a Corrective Action Plan that obliges UMass to:

  • Conduct an enterprise-wide risk analysis, subject to approval by HHS, that evaluates the risks to ePHI on all of its electronic equipment, data systems and applications controlled, administered or owned by UMass or any UMass entity that contains, stores, transmits or receives ePHI.
  • Develop and implement an enterprise-wide risk management plan, subject to approval by HHS, to address and mitigate security risks and vulnerabilities identified in the risk analysis.
  • Revise its policies and procedures to comply with the HIPAA Privacy and Security Rules and submit those policies and procedures to HHS for approval.
  • Train staff who have access to ePHI on the revised policies and procedures.

OCR Director Jocelyn Samuels stated that “[e]ntities that elect hybrid status must properly designate their health care components and ensure that those components are in compliance with HIPAA’s privacy and security requirements.”