UMass Amherst to Pay $650K HIPAA Fine
The settlement, which covers cyber security issues experienced by the school, also includes a corrective action plan.
The University of Massachusetts Amherst (UMass) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. The settlement includes a corrective action plan and a monetary payment of $650,000.
In 2013, a workstation in the school’s Center for Language, Speech, and Hearing was infected with a malware program, which resulted in the disclosure of electronic protected health information (ePHI) of 1,670 individuals, including names, addresses, social security numbers, dates of birth, health insurance information, diagnoses and procedure codes. The malware was a generic remote access Trojan that infiltrated Umass’ system. At the time of the attack, the school didn’t have a firewall in place.
The U.S. Department of Health and Human Services, Office for Civil Rights’ investigation indicated the following potential violations of the HIPAA Rules:
- UMass had failed to designate all of its health care components when hybridizing, incorrectly determining that while its University Health Services was a covered health care component, other components, including the Center where the breach of ePHI occurred, were not covered components. Because UMass failed to designate the Center as a health care component, UMass did not implement policies and procedures at the Center to ensure compliance with the HIPAA Privacy and Security Rules. (Note: The HIPAA Privacy Rule permits legal entities that have some functions that are covered by HIPAA and some that are not to elect to become a “hybrid entity.” To successfully “hybridize,” the entity must designate in writing the health care components that perform functions covered by HIPAA and assure HIPAA compliance for its covered health care components.)
- UMass failed to implement technical security measures at the Center to guard against unauthorized access to ePHI transmitted over an electronic communications network by ensuring that firewalls were in place at the Center.
- UMass did not conduct an accurate and thorough risk analysis until September 2015.
In addition to the monetary settlement, which reflects the fact that the university operated at a financial loss in 2015, UMass has agreed to a corrective action plan requiring it to conduct an enterprise-wide risk analysis; develop and implement a risk management plan; revise its policies and procedures, and train its staff on these policies and procedures.
Add Another Layer of Protection to your Campus
If you’re responsible for protecting a campus — whether at a hospital, K-12 school, college or university — then Campus Safety magazine is a must-read, and it’s free! As the only publication devoted to those public safety, security and emergency management personnel, issues cover all aspects of safety measures, including access control, video surveillance, mass notification, and security staff practices.
Take advantage of a free subscription to Campus Safety today, and add its practical insights, product updates and know-how to your toolkit. Subscribe today!
Campus Safety Heroes
Campus Safety honors those who keep their hospital, school or university campus safer.See our latest Heroes, nominees and content.
Recommended For You
Do you have a Threat Assessment Checklist? If not, you’ll want to download this FREE Active Shooter Checklist now!
Improving emergency preparedness on your campus is an evolving process involving both personnel and equipment. Learn from other school and college officials preparedness and who reveal what they look for in an emergency alert system.