The HHS Office for Civil Rights (OCR) announced that it has fined Idaho State University (ISU) $400,000 for failing to protect patient information.
The HHS Office for Civil Rights (OCR) opened an investigation after ISU notified HHS of the breach in which the ePHI of approximately 17,500 patients was unsecured for at least 10 months, due to the disabling of firewall protections at servers maintained by ISU. OCR’s investigation indicated that ISU’s risk analyses and assessments of its clinics were incomplete and inadequately identified potential risks or vulnerabilities. ISU also failed to assess the likelihood of potential risks occurring.
OCR goes into more details in the Resolution Agreement posted on their website:
Factual Background and Covered Conduct. On August 9, 2011, HHS received notification from ISU regarding a breach of its unsecured electronic protected health information (ePHI). On November 22, 2011, HHS notified ISU of its investigation regarding ISU’s compliance with the Privacy, Security, and Breach Notification Rules. HHS’ investigation indicated that the following conduct occurred “Covered Conduct”).
- ISU failed to conduct an appropriate risk assessment between April 1, 2007 and November 26, 2012;
- ISU failed to implement adequate security protections during the same time period to protect electronic protected health information (ePHI); and
- ISU did not regularly review information system (IS) activity to determine if ePHI was inappropriately used or disclosed.
The three findings are interesting because they represent HIPAA requirements that many organizations are not complying with.
A HIPAA Risk Assessment is the core of the HIPAA Security Rule. A Risk Assessment will provide an organization with the information they need to properly protect patient information. A Risk Assessment will look at where patient data is stored, how it is being protected and what are the risks to the data. In addition, a HIPAA Risk Assessment will provide suggestions for additional security measures that should be implemented.
Inadequate Security Protections
The second point goes directly with the failure to perform a Risk Assessment. Without the Risk Assessment an organization does not know what the risks are to patient information. Without knowing the risks, an organization may not put the proper protections in place.
Think about a patient going to the doctor. The patient might ignore some actions they are taking and its effect on their health. Only when the doctor says “If you don’t change your lifestyle you will be dead in 2 years”. The patient now knows the real risks to their health and might make the lifestyle changes needed to avoid the consequences. A HIPAA Risk Assessment will provide the same insight.
Information System Review
The third point is one that we see over and over again. Many organizations do not review system information activity. System information activity logs record access to patient information. They record:
- Who accessed patient information
- When patient information was accessed
- What patient information was accessed
Without reviewing system information activity an organization is blind to what is happening with their electronic patient information. Reviewing system activity can reveal interesting trends that might alert an organization that illegal activity is occurring or that patient information is being accessed in an inappropriate way. Examples include:
- That one employee is accessing 400 patient records a day when all other employees are only accessing 20 patient records a day. This employee might be downloading patient information and selling it for criminal activity
- There is a lot of patient information being accessed after normal working hours. This could be an indication that a hacker is illegally accessing patient information
Without reviewing system activity, an organization might be blind to what is happen to patient information. Illegal or inappropriate access might be occurring right under their nose.
It cost Idaho State University $400,000 plus significantly more to notify patients and address the findings in the OCR Resolution Agreement.
Unfortunately many organizations are guilty of failing to protect patient information and do not perform the 3 items that caused Idaho State University to receive a $400,000 HIPAA fine.
understand the HIPAA Risk Assessment process