In addition to the breach, the OCR found that the university had not conducted a HIPAA-required risk assessment from April 1, 2007, until Nov. 26, 2012, had not adequately implemented security measures to reduce the risks and vulnerabilities to a reasonable and appropriate level, and did not adequately implement procedures to regularly review records of information system activity to determine if any ePHI (electronic protected health information) was used or disclosed in an inappropriate manner, also for the duration of the period.
“Risk analysis, ongoing risk management and routine information system reviews are the cornerstones of an effective HIPAA security compliance program,” said OCR Director Leon Rodriguez. “Proper security measures and policies help mitigate potential risk to patient information.”
The settlement agreement stated it is not an admission of liability by the university, and HHS stated ISU is not in violation of the HIPAA privacy or security rules and is not liable for civil monetary penalties.
The university performed its own audit of the unguarded server and hired a third-party firm to do a forensic audit of the system and both concluded the patient records had not been improperly accessed, according to Greg Ehradt, a lawyer and the HIPAA compliance officer for the university. “They were vulnerable, certainly, but they were not compromised and no patient data was accessed.”
Since September 2009, there have been 607 major breaches reported to OCR in which 500 or more patients' records were affected, according to the agency's website. Combined, these major breaches have exposed the records of more than 22.1 million people. The reporting and public posting of these larger breaches is required under HIPAA amendments in the American Recovery and Reinvestment Act of 2009.
Since 2008, the OCR has obtained agreements or taken enforcement actions involving monetary settlements or penalties against 13 organizations, according to a list on the agency's website and a recent presentation this month by Rodriguez.
The smallest settlement amount, $35,000, was with the Management Services Organization Washington Inc. The largest sum, a civil monetary penalty of $4.3 million, was levied against Cignet Health of Prince George's County, Md., which led to a court judgment of nearly $4.8 million.
Earlier this year, the Hospice of North Idaho agreed to pay $50,000 to settle potential violations of the HIPAA law for a security breach involving the 2010 theft of an unencrypted laptop computer containing protected health information of 441 patients.
Follow Joseph Conn on Twitter: @MHJConn