[BreachExchange] UMass Amherst dinged with $650, 000 HIPAA settlement

[Audrey McNeil]

http://www.modernhealthcare.com/article/20161123/NEWS/161129953

The Office for Civil Rights at HHS added to its record-setting tally of
HIPAA enforcement actions this year by extracting a $650,000 payment from
the University of Massachusetts at Amherst.

The federal agency charged with enforcing the federal healthcare data
privacy, security and breach notification rules suggested in a news release
that the amount might have been higher, but the settlement was “reflective
of the fact that the University operated at a financial loss in 2015.”

The enforcement action stems from the university's own June 2013 report of
a malware infection at a computer workstation in its Center for Language,
Speech and Hearing. The attack led to the disclosure of the names,
addresses, Social Security numbers, dates of birth, diagnoses, procedure
codes and other health insurance information on 1,670 individuals,
according to the civil rights office. The exploit was enabled because the
university did not have a firewall in place on that computer, the agency
said.

HIPAA rules allow certain organizations to declare themselves to be
“hybrids,” having healthcare functions that are covered under HIPAA, and
other business that is not.

According to the civil rights office, “to successfully 'hybridize,' the
entity must designate in writing the healthcare components that perform
functions covered by HIPAA and assure HIPAA compliance for its covered
healthcare components." The agency said UMass Amherst failed to include the
center as a HIPAA-covered component in its hybridization plan. The
university also failed to conduct “an accurate and thorough” HIPAA risk
assessment until September 2015, well after the breach occurred.

Kirk Nahra, a lawyer specializing in healthcare privacy at Wiley Rein in
Washington, D.C., said there's no need for compliance officers at HIPAA
hybrid organizations to panic, thinking the feds are targeting them.

“They're not going after hybrids, they're going after people for violating
HIPAA,” Nahra said. “What happened here is they (UMass) drew a line and
missed a pertinent part.”

“I think there is a message, in a sense, to hospitals that are part of
universities, to err on the side of bringing something into HIPAA,” he said.

This was the 13th HIPAA settlement this year by the civil rights office,
which has collected $23.5 million during the period. Both the number of
settlements and the total dollar amount are annual records. Overall, since
2008, there have been 41 settlements and one court-ordered penalty levied
against alleged HIPAA violators, yielding $56.2 million.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161123/4fedb8a5/attachment.html>