The University of Massachusetts Amherst (UMass) has agreed to pay the Department of Health and Human Services’ Office for Civil Rights (OCR) $650,000 to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA). The UMass HIPAA settlement could have been much higher, although OCR took into consideration the financial position of the University, which had operated at a financial loss last year.
OCR launched an investigation of UMass in 2013 following a breach of protected health information caused by a malware infection. The malware was installed on a workstation used by the University of Massachusetts’ Center for Language, Speech, and Hearing on June 18, 2013.
The infected computer contained a range of sensitive data including names, addresses, dates of birth, medical diagnoses, prescription details, procedure codes, health insurance information, and Social Security numbers. The malware – a remote access Trojan – was installed as a result of a lack of security protections at the Center for Language, Speech, and Hearing.
While UMass had invested in technology to keep its systems secure, workstations at the Center for Language, Speech, and Hearing were not protected by a firewall. In total, 1,670 individuals were impacted by the breach.
The breach was one of the smaller data security incidents reported to OCR in 2013, although the severity of the HIPAA violations discovered by OCR investigators led to the agency seeking a financial penalty.
In addition to the $650,000 UMass HIPAA settlement, the University must adopt a corrective action plan to address the HIPAA failures discovered by OCR during the investigation. OCR determined that UMass had not performed a comprehensive, organization-wide risk analysis to identify potential risks to the confidentiality, integrity, and availability of ePHI. That risk analysis was eventually performed, but not until September 2015.
UMass also failed to implement appropriate technical security measures to protect ePHI stored on its workstations – a breach of the HIPAA Security Rule.
UMass is a hybrid entity and as such, HIPAA Rules only apply to its healthcare components. However, UMass failed to designate its Center for Language, Speech, and Hearing as a healthcare component.
OCR Director Jocelyn Samuels issued a statement about the UMass HIPAA settlement saying “Entities that elect hybrid status must properly designate their healthcare components and ensure that those components are in compliance with HIPAA’s privacy and security requirements.”
There have been considerably more OCR HIPAA settlements in 2016 than in previous years as the agency has started cracking down on serious violations of HIPAA Rules. The UMass HIPAA settlement was the 13th OCR HIPAA breach settlement of the year to date.