Idaho State University Fined $400,000 for HIPAA Security Rule Violation
In August 2010, the Idaho State University notiﬁ ed the HHS Ofﬁce for Civil Rights (the “OCR”) that, after they performed routine server maintenance for their Pocatello Family Medicine Clinic, technicians failed to put the server ﬁrewall back into place. This left the protected health information on 17,500 patients exposed for at least 10 months.
Once the University discovered this exposure they conducted an investigation, notiﬁed the affected patients and reported the breach to the Ofﬁce of Civil Rights. The OCR opened an investigation in November 2011 which concluded:
- The University did not conduct an analysis of the risk to the conﬁdentiality of ePHI as part of its security management process from April 1, 2007 until November 26, 2012; |
- The University did not adequately implement security measures sufﬁcient to reduce the risks and vulnerabilities to a reasonable and appropriate level from April 1, 2007 until November 26, 2012; and
- The University did not adequately implement procedures to regularly review records of information system activity to determine if any ePHI was used or disclosed in an inappropriate manner from April 1, 2007 until June 6, 2012.
In summary, OCR found that the University risk analyses and assessments of its clinics were incomplete and inadequately identiﬁed potential risks or vulnerabilities. The University also failed to assess the likelihood of potential risks occurring. Based on this ﬁnding, the OCR ﬁned the University $400,000 and imposed a 2 year corrective action plan.
As we have noted before, an “accurate and thorough” Risk Analysis is a core requirement of the HIPAA Security Rule (see: 45 CFR § 164.308(a)(1)(ii) (A)) . The Security Rule does not specify how frequently to perform risk analysis as part of a comprehensive risk management process. The OCR has indicated that entities may want to perform an analysis annually and are required to perform it as needed (e.g., bi-annual or every 3 years) depending on circumstances of their environment.
The Security Rule questions which covered entities and business associates should be asking themselves are:
- Do you have an accurate and thorough, up-to-date Risk Analysis?
- Is the Risk Analysis in writing?
- Have you implemented proper safeguards in light of the vulnerabilities and threats identiﬁed in the Risk Analysis?
- Have you implemented the required policies and procedures?
- Do you have a plan to respond immediately if a security breach occurs tomorrow?