Lack of Firewall, Risk Analysis Earns University $650,000 HIPAA Fine

November 28, 2016

Medicare Web

The University of Massachusetts Amherst (UMass) agreed to a $650,000 HIPAA settlement fine after a breach investigation revealed the university failed to implement basic security measures, the Office for Civil Rights (OCR) said in a November 22 statement.

In 2013, UMass notified OCR of a breach of unsecured protected health information (PHI) at its Center for Language, Speech, and Hearing. A workstation at the center was infected with malware that left PHI vulnerable to unauthorized third party access. The breach affected approximately 1,670 individuals. OCR’s subsequent investigation revealed a number of significant security and compliance gaps.

UMass operates as a hybrid entity under HIPAA, according to the resolution and corrective action plan (CAP). Under HIPAA, a hybrid entity is an entity which has some functions that are covered under HIPAA and some which are not. A hybrid entity must designate in writing what functions it performs that are covered by HIPAA and is responsible for applying HIPAA to those functions. However, UMass did not include all business components that meet the definition of a covered entity or business associate in its hybrid designation statement. Although UMass did include the center in its hybrid designation, it did not implement HIPAA-compliant policies and procedures at the center.

The investigation also found that UMass did not protect electronic PHI with a firewall, a basic HIPAA security requirement.

And, in a HIPAA compliance failing seen repeatedly this year, UMass did not conduct thorough organizationwide risk analyses.

Under the terms of the CAP, UMass must adopt a security management process, including an organizationwide risk analysis and a risk management plan. Both the risk analysis and risk management plan must be submitted to OCR for approval. UMass also agreed to create and update policies and procedures and train staff on HIPAA compliance.

OCR’s recent HIPAA settlement fines have gone over the million-dollar mark. However, the agency may have softened its stance in this case because UMass operated at a loss in 2015.