The University of Massachusetts Amherst (UMass) entered into a settlement agreement last month with the Department of Health and Human Services Office for Civil Rights (OCR) to pay a civil monetary penalty of $650,000 for potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules and adhere to a two-year corrective action plan. The settlement comes more than three years after UMass reported to OCR that a workstation in its Center for Language, Speech, and Hearing was infected with malware which resulted in the impermissible disclosure of electronic protected health information (ePHI) of 1,670 individuals. The ePHI included names, addresses, social security numbers, dates of birth, health insurance information, diagnoses, and procedure codes. UMass determined that the malware was able to infiltrate its system because there was not a firewall in place.
In response to the incident report filed by UMass, OCR conducted an investigation which found the following potential violations of the HIPAA rules:
- Failure of UMass to designate all of its health care components when hybridizing under HIPAA, including incorrectly determining that while its University Health Services was a covered health care component, other components, including the center where the breach of ePHI occurred, were not covered components. Because the center was excluded, UMass failed to implement policies and procedures at the center to ensure compliance with the HIPAA Privacy and Security Rules.
- Failure of UMass to implement technical security measures at the center to guard against unauthorized access to ePHI transmitted over an electronic communications network by ensuring that firewalls were in place at the center.
- Failure to conduct an accurate and thorough risk analysis until September 2015, more than two years after the incident.
In response to the settlement, OCR emphasized the importance of proper hybrid designation and stated that “HIPAA’s security requirements are an important tool for protecting both patient data and business operations against threats such as malware. Entities that elect hybrid status must properly designate their health care components and ensure that those components are in compliance with HIPAA’s privacy and security requirements.”
The two-year corrective action plan that UMass agreed to requires UMass to conduct a risk analysis of its entire organization, implement a risk management plan, revise its data security and privacy policies and procedures, and train all applicable staff on compliance with the revised policies and procedures.
Impact of Hybridization
The UMass settlement emphasizes the impact of failing to properly designate health care covered components when electing hybrid entity status under the HIPAA Privacy Rule. The HIPAA Privacy Rule permits certain legal entities that have some functions that are covered by HIPAA and some functions that are not, such as universities like UMass that have academic medical centers, to elect to become a “hybrid entity.” To properly “hybridize,” the entity must designate in writing the health care components that perform functions covered by HIPAA and assure that each covered health care component complies with HIPAA.
In order to enhance HIPAA compliance, it is recommended that entities that elect to be treated as hybrid periodically assess the designation of each component of their organization. Doing so will reduce the likelihood that a component of the organization is incorrectly designated as not performing covered HIPAA functions and will ensure that proper policies and procedures are implemented at all health care components. In addition, HIPAA policies and procedures should be reviewed annually to enhance HIPAA compliance. Phase Two of OCR’s HIPAA Audit Program is underway and it is critical that covered entities, including hybrid entities, and business associates take affirmative steps to enhance their compliance in anticipation of selection for an audit.