HIPAA Compliance News

$3.2 Million HIPAA Civil Monetary Penalty for Children’s Medical Center of Dallas

Posted February 2, 2017 by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced that Children’s Medical Center of Dallas has paid a civil monetary penalty of $3.2 million to resolve multiple HIPAA violations spanning several years.

It is relatively rare for OCR a HIPAA Civil Monetary Penalty to be paid by a HIPAA-covered entity to resolve HIPAA violations discovered during OCR data breach investigations. In the vast majority of cases when serious violations of the Health Insurance Portability and Accountability Act are discovered by OCR investigators, the covered entity in question enters into a voluntary settlement with OCR.

Typically, this sees the covered entity pay a lower amount to OCR to resolve the HIPAA violations. OCR attempted to resolve the matter via informal means between November 6, 2015, to August 30,2016, before issuing a Notice of Proposed Determination on September 30, 2016. In the Notice of Proposed Determination, OCR explained that Children’s Medical Center of Dallas could file a request for a hearing, although no request was received. Consequently, Children’s Medical Center of Dallas was required to pay the full civil monetary penalty of $3,217,000, making this the biggest HIPAA violation penalty of 2017, eclipsing the payments made by Presense Health ($475,000) and MAPFRE Life Insurance Company of Puerto Rico ($2.2 million).

Children’s Medical Center of Dallas is run by Children’s Health, a Dallas-based healthcare system comprising three hospitals and numerous clinics in North Texas. On January 18, 2010, OCR was notified by Children’s Medical Center that a breach of patients’ electronic protected health information (ePHI) had occurred. The breach involved the loss of a Blackberry device containing the ePHI of 3,800 patients. The device had not been encrypted and was not protected with a password, allowing any individual who found the device to access the ePHI of patients.

An investigation into the breach was launched on or around June 14, 2010. As part of the investigation, Children’s Medical Center provided OCR with a Security Gap Analysis conducted by Strategic Management Systems, Inc., (SMS) between December 2006 and February 2007. That analysis revealed a lack of risk management at Children’s Medical Center. In the report, SMS recommended that Children’s Medical Center implement encryption on portable devices such as laptop computers to prevent the exposure of ePHI in the event that a device be lost or stolen. Children’s Medical Center failed to act on that recommendation.

PricewaterhouseCoopers (PwC) conducted an analysis of threats and vulnerabilities to ePHI in August 2008. In the PwC report, it was also recommended that Children’s Medical Center implement encryption on laptop computers, workstations, mobile devices, and portable storage devices such as USB thumb drives. PwC determined that the use of encryption was “necessary and appropriate.” Children’s Medical Center failed to act on PwC’s recommendations, even though encryption was rated as a “high priority” item.

To OCR it was clear that Children’s Medical Center was aware of the risks to the confidentiality, integrity, and availability of ePHI and that were was a lack of appropriate safeguards for ePHI at rest. Children’s Medical Center was aware of the risks as early as March 2007, more than a year before the security incident occurred and ePHI was exposed. Had Children’s Medical Center acted on the recommendations of SMS or PwC the breach could have been avoided.

In addition to the lost Blackberry in 2010, Children’s Medical Center reported the loss of an unencrypted iPod containing the ePHI of 22 patients. The loss occurred in December 2010. On July 5, 2013, Children’s Medical Center notified OCR of another breach involving an unencrypted device. In this case, the laptop theft resulted in the exposure of 2,462 individuals’ ePHI.

Even after the data breaches were experienced, Children’s Medical Center failed to act; only implementing encryption on portable devices in April, 2013. From 2007 to April 9, 2013, nurses were using unprotected Blackberry devices that contained ePHI, while other workers were using unencrypted laptop computers and mobile devices until April 9, 2013.

Encryption of ePHI is not mandatory for HIPAA-covered entities. The use of encryption to safeguard the confidentiality, integrity, and availability of ePHI is an ‘addressable’ issue.

HIPAA-covered entities are required to conduct a comprehensive, organization-wide risk assessment to determine vulnerabilities that could potentially result in the exposure of ePHI. If, after performing the risk assessment, the covered entity determines that encryption is not ‘reasonable and appropriate’, the reasons why encryption is not deemed necessary must be documented and an equivalent measure must still be implemented to ensure ePHI is appropriately secured. Children’s Medical Center failed to document why encryption had not been used and also failed to implement an equivalent security measure.

Furthermore, OCR determined that prior to November 9, 2012, Children’s Medical Center did not have sufficient policies and procedures governing the removal of hardware and electronic equipment from its facilities or movement of the devices within its facilities. Until November 9, 2012, Children’s Medical Center could not tell how many devices those policies and procedures should apply to: A full inventory was only completed on November 9, 2012. While devices had been inventoried prior to November 9, 2012, devices managed by the Biomedical department were not included in that inventory, breaching the HIPAA Security Rule (45 C.P.R. § 164.310(d)(l)).

While efforts were made to resolve the HIPAA violations informally, Children’s Medical Center was unable to ‘provide written evidence of mitigating factors or affirmative defenses and/or its written evidence in support of a waiver of a CMP.’

OCR determined that the violations were due to reasonable cause and not willful neglect of HIPAA Rules. Had that not been the case, the penalty would have been considerably higher. OCR considered the fact that there had been no apparent harm caused to patients as a result of the lost devices, and chose the minimum penalty amount of $1,000 per day that the violations were allowed to persist.

OCR’s Final Notice of Determination can be viewed on this link.

According to OCR Acting Director Robinsue Frohboese, “Ensuring adequate security precautions to protect health information, including identifying any security risks and immediately correcting them, is essential.” Frohboese also explained that the lack of risk management can be costly for covered entities, “Although OCR prefers to settle cases and assist entities in implementing corrective action plans, a lack of risk management not only costs individuals the security of their data, but it can also cost covered entities a sizable fine.”

The post $3.2 Million HIPAA Civil Monetary Penalty for Children’s Medical Center of Dallas appeared first on HIPAA Journal.

$2.2 Million Settlement for Impermissible Disclosure of ePHI

Posted January 19, 2017 by HIPAA Journal

The U.S. Department of Health and Human Services’ Office for Civil Rights has agreed to a $2.2 million settlement with MAPFRE Life Assurance Company of Puerto Rico – A subsidiary of MAPFRE S.A., of Spain – to resolve potential noncompliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

The settlement relates to the impermissible disclosure of the electronic protected health information of 2,209 patients in 2011. On September 29, 2011, a portable USB storage device (pen drive) was left overnight in the IT Department from where it was stolen. The device contained a range of patients’ ePHI, including full names, Social Security numbers and dates of birth. The device was not protected by a password and data on the device were not encrypted.

MAPFRE reported the device theft to OCR, which launched an investigation to determine whether HIPAA Rules had been violated, as is customary with all breaches of ePHI that impact more than 500 individuals.

Multiple Areas of Noncompliance with HIPAA Rules Discovered

During the course of the investigation, OCR discovered numerous HIPAA noncompliance issues:

45 C.F.R. 164.502(a) – Impermissible disclosure of the ePHI of 2,209 individuals.

5 C.F.R. 164.308(a)(1)(i) – A failure to conduct a comprehensive risk assessment to evaluate risks and vulnerabilities to the confidentiality, integrity and availability of ePHI and a failure to implement measures to reduce risks to an appropriate level.

45 C.F.R. 164.308(a)(5)(i) – A failure to implement a security awareness training program for all members of the workforce.

45 C.F.R. 164.312(a)(2)(iv) – A failure to implement data encryption or an equivalent measure to safeguard the ePHI stored on portable storage devices.

45 C.F.R. 164.316 (a) – A failure to implement reasonable and appropriate policies and procedures to safeguard ePHI to comply with HIPAA standards implementation specifications.

Additionally, the corrective measures MAPFRE said it would undertake following the submission of a breach report to OCR on August 5, 2011 were delayed. MAPFRE did not start encrypting data on laptop computers and portable storage devices until September 1, 2014.

OCR considered the financial position of MAPFRE along with the number and severity of HIPAA violations when determining the resolution amount. In addition to paying OCR $2,204,182, MAPFRE is required to adopt a corrective action plan to address all areas of noncompliance.

HIPAA and Data Encryption

HIPAA does not require covered entities to implement encryption on portable devices used to store ePHI. Data encryption is only an addressable issue. However, covered entities must conduct a thorough risk assessment to identify potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. If, after assessing risks, covered entities determine that other controls are in place to safeguard ePHI and data encryption is not appropriate, the reasons for not implementing encryption must be documented.

Recent HIPAA Settlements

OCR has stepped up its enforcement of HIPAA Rules in recent years, with more settlements agreed in 2016 than in any other year to date. Last year, 12 healthcare organizations settled potential HIPAA violations with OCR, and one civil monetary penalty (CMP) was imposed.

MAPFRE is the second HIPAA-covered entity to settle potential HIPAA violations with OCR in 2017. Last week, OCR announced a settlement of $475,000 had been agreed with Presense Health for violations of the HIPAA Breach Notification Rule.

The post $2.2 Million Settlement for Impermissible Disclosure of ePHI appeared first on HIPAA Journal.

No HIPAA Violation Fine for Virginia State Senator

Posted January 19, 2017 by HIPAA Journal

While campaigning to become Republican state senator for Virginia in 2015, Henrico County physician Siobhan Dunnavant, M.D., used patients’ contact information – classed as protected health information under HIPAA Rules – to solicit donations from patients to help fund her campaign.

Contact information – names and addresses – was shared with her campaign team and was used to communicate with patients. The same information was also disclosed to a direct mail company: A violation of the HIPAA Privacy Rule. At least two complaints were received by the Department of Health and Human Services’ Office for Civil Rights about the privacy violation last year.

An OCR regional office contacted Dunnavant after being alerted to the privacy violation and informed her that her actions constituted an impermissible use and disclosure of PHI – violations of the HIPAA Privacy Rule. Such violations can result in financial penalties being issued.

Dunnavant, who was later elect to the state senate, could have been fined up to $250,000 for the HIPAA violation and could potentially have been imprisoned for up to 10 years. However, OCR has chosen not to take further action.

No financial penalty was deemed appropriate as Dunnavant took immediate action to minimize damage. The investigation into the HIPAA violations has now been closed.

HIPAA violations are not always punishable with civil monetary penalties and do not always require resolution agreements. OCR prefers to resolve HIPAA violations through voluntary compliance and by issuing technical assistance. Civil monetary penalties and resolution agreements are typically reserved for the most serious violations of HIPAA Rules.

While Dunnavant’s use of patient contact information to solicit contributions did violate HIPAA Rules, the privacy violation was relatively minor and no patients came to harm as a result. Dunnavan believed her actions were permitted under HIPAA Rules as she had obtained a business associate agreement prior to disclosing the information.

Senator Dunnavant told the Richmond-Times Dispatch that the mailings were intended to advise patients of her political activity and reassure them that it would not have an impact on the provision of medical services. Dunnavant said she sought advice from her lawyers and medical practice board before sending the letter and no HIPAA issues were raised. She also said she regretted adding an appeal for political support to the letters.

The post No HIPAA Violation Fine for Virginia State Senator appeared first on HIPAA Journal.

OCR Reminds CEs of HIPAA Audit Control Requirements to Identify Inappropriate ePHI Access

Posted January 17, 2017 by HIPAA Journal

In the past few weeks, a number of HIPAA-covered entities have announced that employees have been discovered to have inappropriately accessed the medical records/protected health information of patients.

Two of the recent cases were discovered when covered entities performed routine audits of access logs. In both instances, the employees were discovered to have inappropriately accessed the electronic protected health information (ePHI) of patients over a period of more than 12 months. Once case involved the viewing of a celebrity’s medical records by multiple staff members.

Late last week, OCR released its January Cyber Awareness Newsletter which covered the importance of implementing audit controls and periodically reviewing application, user, and system-level audit trails. NIST defines audit logs as records of events based on applications, system or users, while audit trails are audit logs of applications, system or users.

Most information systems include options for logging user activity, including access and failed access attempts, the devices that have been used to log on, and the duration of login periods, and whether data have been viewed.

Audit trails are particularly useful when security incidents occur as they can be used to determine whether ePHI access has occurred and which individuals have been affected. Logs can be used to track unauthorized disclosures, potential intrusions, attempted intrusions, and in forensic analyses of data breaches and cyberattacks. Covered entities can also use logs and trails to review the performance of applications and to help identify potential flaws.

OCR confirmed that recording data such as these, and reviewing audit logs and audit trails is a requirement of the HIPAA Security Rule. (45 C.F.R. § 164.312(b)).

The HIPAA Security Rule requires covered entities to record audit logs and audit trails for review, although the types of data that should be collected are not specified by the legislation. The greater the range of information collected, the more thoroughly security incidents can be investigated. However, covered entities should carefully assess and decide on which data elements are stored in logs. It will be quicker and easier to review audit logs and trails if they only contain relevant information.

The HIPAA Security Rule does not specify how often covered entities should conduct reviews of user activities, instead this is left to the discretion of the covered entity. Information gathered from audit logs and trails should be reviewed ‘regularly’.

A covered entity should determine the frequency of reviews based on the results of their risk analyses. Organizations should also consider organizational factors such as their technical infrastructure and hardware/software capabilities when determining the review period.

OCR also points out that a review of audit logs and trails should take place after any security incident, such as a suspected breach, although reviews should also be conducted during real-time operations. Due to the potential for audit log tampering, OCR reminds covered entities that “Access to audit trails should be strictly restricted, and should be provided only to authorized personnel.”

The post OCR Reminds CEs of HIPAA Audit Control Requirements to Identify Inappropriate ePHI Access appeared first on HIPAA Journal.

OCR HIPAA Enforcement: Summary of 2016 HIPAA Settlements

Posted January 12, 2017 by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has stepped up its enforcement activities in recent years, and 2016 HIPAA settlements were at record levels. In total, payments of $22,855,300 were made to OCR in 2016 to resolve alleged HIPAA violations. Seven settlements were in excess of $1,500,000.

In 2016, OCR settled alleged HIPAA violations with 12 healthcare organizations. Last year also saw an Administrative Law Judge rule that civil monetary penalties previously imposed on a covered entity – Lincare Inc. – by OCR were lawful, bringing the total to thirteen for 2016. Lincare was only the second healthcare organization required to pay a civil monetary penalty for violations of the Health Insurance Portability and Accountability Act. All other organizations opted to settle with OCR voluntarily.

Financial penalties are not always appropriate. OCR prefers to settle potential HIPAA violations using non-punitive measures. Financial penalties are reserved for the most severe violations of HIPAA Rules, when widespread non-compliance is discovered, or in cases where healthcare organizations have blatantly disregarded HIPAA Rules.

While largescale breaches of PHI may warrant financial penalties and will have an impact on the final settlement amount, OCR has resorted to financial penalties when relatively few individuals have been impacted by healthcare data breaches. This year has seen two settlements with organizations for breaches that have impacted fewer than 500 individuals – New York Presbyterian Hospital and Catholic Health Care Services of the Archdiocese of Philadelphia – and one civil monetary penalty – Lincare Inc.

A summary of 2016 HIPAA settlements with the Office for Civil Rights is detailed in the table below:

Summary of 2016 HIPAA Settlements

Covered Entity	Date	Amount	Breach that triggered OCR investigation	Individuals impacted
University of Massachusetts Amherst (UMass)	November, 2016	$650,000	Malware infection	1,670
St. Joseph Health	October, 2016	$2,140,500	PHI made available through search engines	31,800
Care New England Health System	September, 2016	$400,000	Loss of two unencrypted backup tapes	14,000
Advocate Health Care Network	August, 2016	$5,550,000	Theft of desktop computers, loss of laptop, improper access of data at business associate	3,994,175 (combined total of three separate breaches)
University of Mississippi Medical Center	July, 2016	$2,750,000	Unprotected network drive	10.,000
Oregon Health & Science University	July, 2016	$2,700,000	Loss of unencrypted laptop / Storage on cloud server without BAA	4,361 (combined total of two breaches)
Catholic Health Care Services of the Archdiocese of Philadelphia	June, 2016	$650,000	Theft of mobile device	412 (Combined total)
New York Presbyterian Hospital	April, 2016	$2,200,000	Filming of patients by TV crew	Unconfirmed
Raleigh Orthopaedic Clinic, P.A. of North Carolina	April, 2016	$750,000	Improper disclosure to business associate	17,300
Feinstein Institute for Medical Research	March, 2016	$3,900,000	Improper disclosure of research participants’ PHI	13,000
North Memorial Health Care of Minnesota	March, 2016	$1,550,000	Theft of laptop computer / Improper disclosure to business associate (discovered during investigation)	299,401
Complete P.T., Pool & Land Physical Therapy, Inc.	February, 2016	$25,000	Improper disclosure of PHI (website testimonials)	Unconfirmed
Lincare, Inc.	February, 2016*	$239,800	Improper disclosure (unprotected documents)	278

*Civil monetary penalty confirmed as lawful by an administrative law judge

The largest HIPAA settlement of 2016 – and the largest HIPAA settlement ever agreed with a single covered entity – was announced in August. OCR agreed to settle potential HIPAA violations with Advocate Health Care Network for $5.5 million.

The previous largest HIPAA settlements were agreed with New York-Presbyterian Hospital and Columbia University after PHI was accidentally indexed by search engines. The two entities were required to pay OCR a total of $4.8 million, with $3.3 million covered by New York-Presbyterian Hospital and the remainder by Columbia University. The previous largest HIPAA settlement for a single entity was agreed with Cignet Health ($4.3 million) for denying 41 patients access to their health records.

2017 has started with an early settlement with Presence Health. The $475,000 settlement was solely based on delayed breach notifications – The first time that a settlement has been agreed solely for a HIPAA Breach Notification Rule violation.

Looking forward into 2017 and beyond, the future of HIPAA enforcement activities is unclear. The new administration may cut funding for OCR which would likely have an impact on HIPAA enforcement.

This year will see the completion of the long-delayed second round of HIPAA compliance audits, although it is unlikely that a permanent audit program will commence this year.

Last year, Jocelyn Samuels said OCR will remain “laser-focused on breaches occurring at health care entities,” and that OCR is committed to “maintain an effective enforcement program that addresses industry-wide noncompliance and provides corrective action to protect the greatest number of individuals.”

However, Jocelyn Samuels will be standing down as head of OCR and it is currently unclear who will take her place. While there are a number of suitable candidates for the position, incoming president Trump has a lot on his hands and the appointment of an OCR director is likely to be relatively low down the to do list. When a new OCR director is appointed, we may find that he/she has different priorities for the OCR’s budget.

What we can expect to see in 2017 is a continuation of enforcement actions that have already commenced. HIPAA breach investigations take time to conduct and settlements even longer. The 2016 HIPAA settlements are the result of data breach investigations that were conducted in 2012-2013. The dramatic increase in data breaches in 2014 – and HIPAA violations that caused those breaches – may well see 2017 become another record-breaking year for HIPAA settlements.

The post OCR HIPAA Enforcement: Summary of 2016 HIPAA Settlements appeared first on HIPAA Journal.

$475,000 Settlement for Delayed HIPAA Breach Notification

Posted January 9, 2017 by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced the first HIPAA settlement of 2017. This is also the first settlement to date solely based on an unnecessary delay to breach notification after the exposure of patients’ protected health information. Presence Health, one of the largest healthcare networks serving residents of Illinois, has agreed to pay OCR $475,000 to settle potential HIPAA Breach Notification Rule violations.

Following a breach of PHI, the HIPAA Breach Notification Rule requires covered entities to issue breach notification letters to all affected individuals advising them of the breach. Those letters need to be issued within 60 days of the discovery of the breach, although covered entities should not delay the issuing of breach notifications to patients or health plan members unnecessarily.

Additionally, if the breach affects more than 500 individuals, a breach report must be submitted to Office for Civil Rights within 60 days and the Breach Notification Rule also requires covered entities to issue a breach notice to prominent media outlets. Covered entities should also place a substitute breach notice in a prominent place the company website to alert patients or plan members to the breach.

Smaller breaches impacting fewer than 500 individuals must also be reported to OCR, although covered entities can report these smaller breaches annually within 60 days of the end of the calendar year. Covered entities should note that state data breach laws may not permit such delays and that regardless of the number of individuals impacted by a breach, HIPAA requires patients to always be notified within 60 days of a PHI breach.

Presence Health experienced a breach of physical protected health information (PHI) in late 2013. Operating room schedules had been removed from the Presense Surgery Center at the Presence St. Joseph Medical Center in Joliet, Illinois, and could not be located. The documents contained sensitive data on 836 patients, including names, birth dates, medical record numbers, details of procedures performed, treatment dates, the types of anaesthesia provided, and names of the surgeons that performed operations.

Presence Health became aware that the documents were missing on October 22, 2013, yet OCR was not notified of the breach until January 31, 2014, more than a month after the 60-day HIPAA Breach Notification Rule deadline.

OCR investigates all breaches of more than 500 records – and selected branches of fewer than 500 records. The OCR investigation revealed notification to OCR was issued 104 days after the breach was discovered – 34 days after the deadline for reporting the incident had passed. A media notice was issued, although not until 106 days after the breach was discovered – 36 days after the HIPAA Breach Notification Rule deadline. Patients were notified of the breach 101 days after discovery – 31 days after the HIPAA Breach Notification Rule deadline had passed.

Investigators determined that this was not the only instance where breach notifications to patients had been delayed. Presense Health had experienced a number of smaller PHI breaches in 2015 and 2016, yet for several of those breaches, Presense Health did not provide affected individuals with timely breach notifications.

Announcing the resolution agreement and settlement, OCR Director Jocelyn Samuels said “Covered entities need to have a clear policy and procedures in place to respond to the Breach Notification Rule’s timeliness requirements.” She went on to explain the reason why individuals need to be notified of PHI breaches promptly, saying “Individuals need prompt notice of a breach of their unsecured PHI so they can take action that could help mitigate any potential harm caused by the breach.”

The settlement should serve as a warning to HIPAA covered entities that unnecessary breach notification delays can have serious financial repercussions. 60-days is the maximum time frame for reporting (and announcing) PHI breaches, not a recommendation.

The post $475,000 Settlement for Delayed HIPAA Breach Notification appeared first on HIPAA Journal.

UMass to Pay OCR $650K to Resolve HIPAA Violations

Posted November 23, 2016 by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has agreed to a $650,000 settlement with University of Massachusetts Amherst (UMass). The settlement resolves HIPAA violations that contributed to the university experiencing a malware infection in 2013.

In early 2013, malware was installed on a workstation in the Center for Language, Speech, and Hearing. The infection resulted in the impermissible disclosure of the electronic protected health information of 1,670 individuals. Those individuals had their names, addresses, social security numbers, birth dates, health insurance information, diagnoses, and procedure codes disclosed to the actors behind the malware attack.

Following the discovery of the infection in 2013, UMass conducted a detailed analysis of the infected workstation. The malware was a generic remote access Trojan and infection occurred because the workstation was not protected by a firewall. UMass ascertained that access to ePHI had been gained.

OCR investigates all data breaches that impact more than 500 individuals to determine whether breached entities have complied with the HIPAA Privacy, Security, and Breach Notification Rules and whether breaches have occurred as a result of HIPAA violations. According to the resolution agreement, OCR was notified of the breach by UMass on June 4, 2013 and an investigation was launched on August 27, 2013.

OCR investigators discovered a number of areas of non-compliance with HIPAA Rules that directly contributed to the UMass data breach.

As a hybrid entity, UMass is only required to comply with HIPAA Rules for some of its components – Those that meet the definition of a covered entity or business associate under HIPAA definitions. UMass had implemented appropriate safeguards to protect the confidentiality, integrity, and availability of ePHI for its University Health Services component; but those same controls were not used for the Center for Language, Speech, and Hearing as UMass did not designate it as a healthcare component.

According to OCR, “To successfully “hybridize,” the entity must designate in writing the health care components that perform functions covered by HIPAA and assure HIPAA compliance for its covered health care components.”

This error meant that UMass did not conduct a HIPAA-compliant risk analysis at the Center. A risk analysis was eventually performed, but not until September 2015. UMass also failed to implement technical security measures to protect the Center’s network and prevent unauthorized ePHI access.

The HIPAA violations could have resulted in a much higher financial penalty but OCR took the University’s finances into account. OCR said the settlement “is reflective of the fact that the University operated at a financial loss in 2015.”

OCR Director Jocelyn Samuels announced the settlement and explained that “HIPAA’s security requirements are an important tool for protecting both patient data and business operations against threats such as malware,” Samuels went on to say “Entities that elect hybrid status must properly designate their health care components and ensure that those components are in compliance with HIPAA’s privacy and security requirements.”

UMass agreed to the settlement with no admission of liability. UMass will pay a $650,000 penalty and will adopt a corrective action plan (CAP) to ensure policies and procedures are brought in line with the minimum standards required under the Health Insurance Portability and Accountability Act.

The CAP requires UMass to conduct a comprehensive risk analysis of all equipment, systems and applications that are used to access or store ePHI to ensure all risks to the confidentiality, integrity, and availability of ePHI are identified.

An enterprise-wide risk management plan must also be developed to address all risks to ePHI that are identified by the risk analysis. A full review of policies and procedures must also take place to ensure they comply with Federal standards, and all staff members must be provided with training on those policies and procedures after they have been approved by OCR.

The post UMass to Pay OCR $650K to Resolve HIPAA Violations appeared first on HIPAA Journal.

Daily HIPAA News, HIPAA RSS Feeds, HIPAA Information