UMass Will Pay $650,000 to Settle Potential HIPAA Violations | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

UMass Will Pay $650,000 to Settle Potential HIPAA Violations

November 22, 2016
by Heather Landi
| Reprints

The University of Massachusetts Amherst (UMass) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules stemming from a malware infection back in 2013.

The settlement includes a corrective action plan and a monetary payment of $650,000, which is reflective of the fact that the University operated at a financial loss in 2015, according to a press release from the U.S. Department of Health and Human Services, Office for Civil Rights (OCR).

On June 18, 2013, UMass reported to the OCR that a workstation in its Center for Language, Speech, and Hearing was infected with a malware program, which resulted in the impermissible disclosure of electronic protected health information (ePHI) of 1,670 individuals, including names, addresses, social security numbers, dates of birth, health insurance information, diagnoses and procedure codes. The university determined that the malware was a generic remote access Trojan that infiltrated their system, providing impermissible access to ePHI, because UMass did not have a firewall in place, according to the OCR press release.

OCR’s investigation indicated the following potential violations of the HIPAA Rules:

UMass had failed to designate all of its health care components when hybridizing, incorrectly determining that while its University Health Services was a covered health care component, other components, including the Center for Language, Speech, and Hearing where the breach of ePHI occurred, were not covered components.  Because UMass failed to designate the Center a health care component, UMass did not implement policies and procedures at the Center to ensure compliance with the HIPAA Privacy and Security Rules. Specifically, OCR notes that the HIPAA Privacy Rule permits legal entities that have some functions that are covered by HIPAA and some that are not to elect to become a “hybrid entity.”  “To successfully ‘hybridize,’ the entity must designate in writing the health care components that perform functions covered by HIPAA and assure HIPAA compliance for its covered health care components,” OCR stated.

According to OCR’s investigation, UMass failed to implement technical security measures at the Center to guard against unauthorized access to ePHI transmitted over an electronic communications network by ensuring that firewalls were in place at the Center. 

Finally, UMass did not conduct an accurate and thorough risk analysis until September 2015. 

“HIPAA’s security requirements are an important tool for protecting both patient data and business operations against threats such as malware,” OCR Director Jocelyn Samuels said in a statement. “Entities that elect hybrid status must properly designate their health care components and ensure that those components are in compliance with HIPAA’s privacy and security requirements.”  

In addition to the monetary settlement, UMass has agreed to a corrective action plan that requires the organization to conduct an enterprise-wide risk analysis; develop and implement a risk management plan; revise its policies and procedures, and train its staff on these policies and procedures.

 

Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More

Topics

News

HIT Advisory Committee Advances Recommendations on Core Data Sets for Interoperability

The Health Information Technology Advisory Committee, a federal advisory committee to the Office of the National Coordinator for Health IT (ONC), voted Wednesday to approve nine recommendations to update the list of data elements that vendors must exchange to be considered interoperable.

ACP Study: Only 37 Percent of MIPS Measures Are Valid

A new study from the American College of Physicians Performance Measurement Committee rated as valid only 37 percent of the 86 Quality Payment Program measures for 2017 deemed relevant to ambulatory general internal medicine.

Intermountain Healthcare Launches Study to Unlock Genomic Data

Researchers from the Salt Lake City, Utah-based Intermountain Healthcare have announced a long-term prospective study that they think has the potential to help physicians and others unlock genomic data.

UNC Health Care Receives HIMSS Analytics Stage 7 Designation

UNC Health Care, an integrated health care system based in Chapel Hill, N.C., has achieved Stage 7 designation on the HIMSS Analytics’ Electronic Medical Record Adoption Model (EMRAM).

FDA Announces Plan to Advance Medical Device Safety and Cybersecurity

The Food and Drug Administration (FDA) has announced new proposals aimed at advancing medical device cybersecurity, including placing new responsibilities on manufacturers, both before and after their devices hit the market.

Black Book: 9 in 10 Small Practices Not Optimizing Advanced EHR Functionalities

Eighty-eight percent of small practices of six or less practitioners still aren't optimizing advanced EHR (electronic health record) tools such as patient engagement, secure messaging, decision support and electronic data sharing, according to the latest Black Book survey