On May 21, 2013, the Department of Health and Human Services (HHS) released its settlement agreement with Idaho State University (ISU) for Health Insurance Portability and Accountability Act (HIPAA) violations. The $400,000 settlement agreement involves ISU’s self-reported breach of unsecured electronic protected health information (ePHI) of about 17,500 patients.
HHS received notification of ISU’s breach on August 9, 2011, and shortly thereafter began an investigation into ISU’s HIPAA compliance. Due to disabled firewall protections on ISU’s servers, about 17,500 patients’ ePHI were left unsecured for a minimum of 10 months. Furthermore, according to the investigation conducted by HHS, ISU’s security measures were not adequate and ISU did not evaluate the possibility of potential risks occurring.
Most importantly, the Office for Civil Rights (OCR) which enforces HIPAA and oversees health information privacy in HHS, determined that processes for routine review were not in place at ISU. As a result, ISU was not able to detect the firewall breach as early as they could have if proper procedures were in place. Routine review is part of the HIPAA’s minimum necessary standard which every HIPAA covered entity must comply with.
If you are a HIPAA covered entity or business associate and need assistance with complying with or understanding the HIPAA Privacy and Security Rules and its exceptions, please contact an experienced healthcare attorney at Wachler & Associates.