The Office for Civil Rights at HHS added to its record-setting tally of HIPAA enforcement actions this year by extracting a $650,000 payment from the University of Massachusetts at Amherst.
The federal agency charged with enforcing the federal healthcare data privacy, security and breach notification rules suggested in a news release that the amount might have been higher, but the settlement was “reflective of the fact that the University operated at a financial loss in 2015.”
The enforcement action stems from the university's own June 2013 report of a malware infection at a computer workstation in its Center for Language, Speech and Hearing. The attack led to the disclosure of the names, addresses, Social Security numbers, dates of birth, diagnoses, procedure codes and other health insurance information on 1,670 individuals, according to the civil rights office. The exploit was enabled because the university did not have a firewall in place on that computer, the agency said.
HIPAA rules allow certain organizations to declare themselves to be “hybrids,” having healthcare functions that are covered under HIPAA, and other business that is not.
According to the civil rights office, “to successfully 'hybridize,' the entity must designate in writing the healthcare components that perform functions covered by HIPAA and assure HIPAA compliance for its covered healthcare components." The agency said UMass Amherst failed to include the center as a HIPAA-covered component in its hybridization plan. The university also failed to conduct “an accurate and thorough” HIPAA risk assessment until September 2015, well after the breach occurred.
Kirk Nahra, a lawyer specializing in healthcare privacy at Wiley Rein in Washington, D.C., said there's no need for compliance officers at HIPAA hybrid organizations to panic, thinking the feds are targeting them.
“They're not going after hybrids, they're going after people for violating HIPAA,” Nahra said. “What happened here is they (UMass) drew a line and missed a pertinent part.”
“I think there is a message, in a sense, to hospitals that are part of universities, to err on the side of bringing something into HIPAA,” he said.
This was the 13th HIPAA settlement this year by the civil rights office, which has collected $23.5 million during the period. Both the number of settlements and the total dollar amount are annual records. Overall, since 2008, there have been 41 settlements and one court-ordered penalty levied against alleged HIPAA violators, yielding $56.2 million.