Idaho State University (ISU) has agreed to pay $400,000 to the U.S. Department of Health and Human Services (HHS) and implement a corrective action plan (CAP) to resolve allegations that it violated the HIPAA Security Rule by failing to implement and continually review security policies and procedures. The settlement involves a breach of unsecured electronic protected health information of 17,500 individuals who were patients at an ISU clinic.
ISU notified the HHS Office for Civil Rights (OCR) of the breach in August 2011, which was the result of disabled firewall protections that left patient records unsecured for approximately ten months. As a result of the notice, OCR conducted an investigation, and found several alleged HIPAA Security Rule violations. Specifically, OCR found that between April 2007 and November 2012, ISU failed to conduct an analysis of the risk to confidentiality of ePHI as part of its security management process, did not adequately implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level, and did not adequately implement procedures to regularly review records of information system activity to determine whether ePHI was used or disclosed in an inappropriate manner.
In addition to paying the $400,000 settlement amount, ISU agreed to implement a corrective action plan with compliance obligations extending through May 13, 2015. Among other things, the CAP requires ISU to furnish documentation designating it as a “hybrid entity” and to identify all components in its system that have been designated covered health care components, and report to HHS instances of workforce member noncompliance with ISU’s HIPAA Privacy and Security policies and procedures (“Reportable Events”). The report to HHS must include information such as the name of the individual involved and a description of the event; policies and procedures implicated; and actions taken to address the matter, mitigate harm and prevent recurrence.