ISU to Pay HHS $400k for HIPAA Violation | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

ISU to Pay HHS $400k for HIPAA Violation

May 24, 2013
by Rajiv Leventhal
| Reprints

Idaho State University (ISU) has agreed to pay $400,000 to the Department of Health Human Services (HHS) to settle alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.  The settlement involves the breach of unsecured electronic protected health information (ePHI) of approximately 17,500 patients at ISU’s Pocatello Family Medicine Clinic.

ISU operates 29 outpatient clinics and is responsible for providing health information technology systems security at those clinics. Between four and eight of those ISU clinics are subject to the HIPAA Privacy and Security Rules, including the clinic where the breach occurred, according to HHS.

The HHS Office for Civil Rights (OCR) opened an investigation after ISU notified HHS of the breach in which the ePHI of approximately 17,500 patients was unsecured for at least 10 months, due to the disabling of firewall protections at servers maintained by ISU. OCR’s investigation indicated that ISU’s risk analyses and assessments of its clinics were incomplete and inadequately identified potential risks or vulnerabilities.  ISU also failed to assess the likelihood of potential risks occurring.  

OCR concluded that ISU did not apply proper security measures and policies to address risks to ePHI and did not have procedures for routine review of their information system in place, which could have detected the firewall breach much sooner.

“Risk analysis, ongoing risk management, and routine information system reviews are the cornerstones of an effective HIPAA security compliance program,” OCR Director Leon Rodriguez said in a statement. “Proper security measures and policies help mitigate potential risk to patient information.”

ISU has agreed to a comprehensive corrective action plan to address the issues uncovered by the investigation and its failure to ensure uniform implementation of required HIPAA Security Rule protections at each of its covered clinics.

Topics

News

NewYork-Presbyterian, Walgreens Partner on Telemedicine Initiative

NewYork-Presbyterian and Walgreens are collaborating to bring expanded access to NewYork-Presbyterian’s healthcare through new telemedicine services, the two organizations announced this week.

ONC Releases Patient Demographic Data Quality Framework

The Office of the National Coordinator for Health IT (ONC) developed a framework to help health systems, large practices, health information exchanges and payers to improve their patient demographic data quality.

AMIA, Pew Urge Congress to Ensure ONC has Funding to Implement Cures Provisions

The Pew Charitable Trusts and the American Medical Informatics Association (AMIA) have sent a letter to congressional appropriators urging them to ensure that ONC has adequate funding to implement certain 21st Century Cures Act provisions.

Former Michigan Governor to Serve as Chair of DRIVE Health

Former Michigan Governor John Engler will serve as chair of the DRIVE Health Initiative, a campaign aimed at accelerating the U.S. health system's transition to value-based care.

NJ Medical Group Launches Statewide HIE, OneHealth New Jersey

The Medical Society of New Jersey (MSNJ) recently launched OneHealth New Jersey, a statewide health information exchange (HIE) that is now live.

Survey: 70% of Providers Using Off-Premises Computing for Some Applications

A survey conducted by KLAS Research found that 70 percent of healthcare organizations have moved at least some applications or IT infrastructure off-premises.