The Division of Health and Human Services’ OCR has consented to a $650K agreement with University of Massachusetts Amherst (UMass). The agreement solves HIPAA breaches that caused the UMass undergoing a malware contagion in 2013.
In early 2013, a malevolent program was set up on a computer terminal in the Center for Speech, Language, and Hearing. The infection led to the forbidden revelation of the electronic safeguarded health information of 1,670 people. Those people had their names, birth dates, addresses, health insurance information, social security numbers, procedure codes, and diagnoses revealed to the actors at the back of the malevolent program attack.
After the detection of the contagion in 2013, UMass carried out a thorough investigation of the infected computer terminal. The malevolent program was a common distant access Malware and infection followed since the computer terminal wasn’t safeguarded by a firewall. UMass found out that entrance to ePHI had been gotten.
OCR probes all data breaks which affect over than 500 people to decide whether broken bodies have followed the HIPAA Security, Privacy, and Break Notice Laws and whether breaks have happened as a consequence of HIPAA breaches. As per the resolution contract, OCR was alerted of the break by University of Massachusetts Amherst on June 4, 2013, and an inquiry was started on August 27, 2013.
OCR detectives found out many matters of non-compliance with HIPAA Laws which directly supported the University of Massachusetts Amherst data break.
Being a mixed entity, UMass is required to abide by HIPAA Laws only for some of its parts – Those that meet the meaning of a protected body or BA as per HIPAA meanings. UMass had applied correct safeguards to defend the integrity, confidentiality, and obtainability of ePHI for its University Health Facilities part; however, those same checks weren’t used for the Center for Speech, Language, and Hearing as UMass didn’t entitle it as a healthcare part.
As per OCR, “To effectively “hybridize,” the body should delegate in writing the health care parts which carry out tasks protected by HIPAA and ensure HIPAA conformity for its protected health care parts.”
This mistake indicated that UMass didn’t carry out a HIPAA-conforming risk probe at the Center. A risk probe was ultimately carried out, however after September 2015. UMass also didn’t apply technical safety measures to safeguard the Center’s computer network and avoid illegal ePHI access.
The HIPAA abuses might have led to a much greater financial fine, however, OCR took the University’s funds into consideration. OCR stated the agreement “is thinking of the truth that the University functioned at a financial deficit in 2015.”
Jocelyn Samuels, OCR Director publicized the agreement and described that “HIPAA’s safety requirements are a vital tool for safeguarding both business operations and patient data against threats like malevolent program,” Samuels said, “Bodies that select mix status should correctly label their health care parts and make sure that those parts are in conformity with HIPAA’s security and privacy needs.”
UMass approved the settlement with no acceptance of obligation. UMass will pay a $650K fine and will implement a corrective action plan (CAP) to make sure procedures and policies are aligned according to the minimum criteria needed as per the Health Insurance Accountability and Portability Law.
The CAP expects UMass to carry out a complete risk analysis of all systems, equipment, and apps which are used to store or access ePHI to make sure all risks to the integrity, confidentiality, and obtainability of ePHI are classified.
An enterprise-wide risk administration strategy should also be formed to tackle all risks to ePHI which are named by the risk investigation. A complete analysis of procedures and policies should also take place to make sure they conform to Federal criteria, and all staff members should be provided training on those procedures and policies after they have been accepted by OCR.