UMass Hit with HIPAA Fines
HIPAA fines make health news headlines…again. In the wake of St Joseph’s Health’s $2-plus million fine, the University of Massaschuettes in Amherst (UMass) is facing a $650,000 charge. Approximately 1,670 individuals had their information breached; including names, addresses, social security numbers, dates of birth, health insurance information, diagnoses and procedure codes.
UMass reported that malware infiltrated their system, opening up these records to privacy concerns. As it turns out, UMass did not have a firewall in place to protect their ePHI. According to Office of Civil Rights (OCR)’s investigation, the violations of the HIPAA Rules included:
- Failure to designate all of its health care components when connecting systems. While the University Health Services were considered a covered health care component, the Center where the breach occurred, was not. Since UMass failed to designate the Center a health care component, they did not ensure the right policies and procedures at the Center were implemented to ensure compliance with the HIPAA Privacy and Security Rules.
- Failure to implement technical security measures at the Center to guard against unauthorized access to ePHI – namely putting a firewall in place.
- Failure to conduct a thorough risk analysis. UMass eventually did, but not until September 2015.
The resolution agreement and action plan HHS and UMass can be found here. Along with the monetary settlement, UMass will also be running a corrective action plan. This plan includes an enterprise-wise risk analysis, development and implementation of a risk management plan, revision of existing policies and procedures around PHI storage and use, and training.
The HIPAA fine breaks down to almost $400 per individual affected, but that only scratches the surface of the actual price. In terms of notifications, legal costs, and the costs associated with actioning their correction plan, UMass will be facing considerable expenses in the near future.
There are tools and services available to assist with managing these costs. The first part of the corrective action plan involves a risk analysis. By incorporating risk-based de-identification into their workflow, they would have insight into lax security, firewall strength, and related controls. Controls are especially crucial when releasing any PHI – even to a secondary workstation. Risk-based de-identification would have also ensured that even if the records had been breached, they contained no PHI (since de-identification removes PHI from data) and thus no longer subject to OCR regulation and avoided HIPAA fines.
To learn more, make sure to check out our webinar, Sharing PHI – Best Practices for Security and Privacy. Join Privacy Analytics and special Guest Heidi Shey from Forrester as they discuss how to mitigate risks in our ever-changing data landscape.
- Can you comply your way to greatness?November 21, 2019
- When to Integrate Anonymization of Documents and DataSeptember 26, 2019
- Deep-Diving into Re-identification: Perspectives On An Article In Nature CommunicationsSeptember 26, 2019
- Learning at Scale: Anonymizing Unstructured Data using AI/MLSeptember 26, 2019
- Early Impact of Health Canada’s New GuidelinesJune 21, 2019
- GDPR and The Future of Clinical Trials Data SharingMarch 18, 2019
- Advancing Principled Data Practices in Support of Emerging TechnologiesMarch 15, 2019
- “Zero Risk Does Not Exist”February 7, 2019
- Is Anonymization Possible with Current Technologies?January 9, 2019
- Comparing the benefits of pseudonymisation and anonymisation under the GDPRDecember 20, 2018