HHS hit Idaho State University with a $400,000 fine this week over HIPAA security violations. The fine comes because of a healthcare data breach involving 17,500 patients where a firewall was disabled for 10 months. Overall HHS listed a incomplete/inadequate risk assessment/analysis as one of the major factors in their decision.
“Idaho State University (ISU) has agreed to pay $400,000 to the U.S. Department of Health Human Services (HHS) to settle alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. The settlement involves the breach of unsecured electronic protected health information (ePHI) of approximately 17,500 patients at ISU’s Pocatello Family Medicine Clinic.
The HHS Office for Civil Rights (OCR) opened an investigation after ISU notified HHS of the breach in which the ePHI of approximately 17,500 patients was unsecured for at least 10 months, due to the disabling of firewall protections at servers maintained by ISU. OCR’s investigation indicated that ISU’s risk analyses and assessments of its clinics were incomplete and inadequately identified potential risks or vulnerabilities. ISU also failed to assess the likelihood of potential risks occurring. “
“So what type of action/inaction ends up in an OCR monetary enforcement scenario? Director Rodriguez categorized two culprits: (1) an ongoing failure to comply with the HIPAA Privacy and Security Rules, and (2) an unforgivable disclosure. Regarding the first category, an ongoing failure usually exists over several months and/or years. Often times, a risk analysis is missing, including a lack of routine information system reviews. Director Rodriguez stressed the importance of conducting risk analyses to identify vulnerabilities. Once risk is identified, it must be properly evaluated and addressed. “
In conclusion, do a risk assessment and then fix the problems and vulnerabilities that are uncovered! One is useless without the other. You can read the full HHS press release here: Idaho State University Settles HIPAA Security Case for $400,000