Search by Topic
Join our mailing list!
Thanks! You've been successfully signed up for the BTU newsletter!
November 29, 2016
Mass. university to pay $650K in HIPAA settlement
AMHERST, Mass. — The University of Massachusetts Amherst has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 Privacy and Security Rules. The settlement includes a corrective action plan and a monetary payment of $650,000.
On June 18, 2013, UMass reported to the U.S. Department of Health and Human Services that a workstation in its Center for Language, Speech and Hearing was infected with a malware program, which resulted in the disclosure of electronic protected health information of 1,670 individuals, including names, addresses, social security numbers, dates of birth, health insurance information, diagnoses and procedure codes.
The University determined that the malware was a generic remote access Trojan that infiltrated their system, providing impermissible access to ePHI, because UMass did not have a firewall in place.
The Office for Civil Rights investigation indicated the following potential violations of the HIPAA Rules:
“HIPAA’s security requirements are an important tool for protecting both patient data and business operations against threats such as malware,” OCR Director Jocelyn Samuels said. “Entities that elect hybrid status must properly designate their health care components and ensure that those components are in compliance with HIPAA’s privacy and security requirements.”
In addition to the monetary settlement, UMass has agreed to a corrective action plan that requires the organization to conduct an enterprise-wide risk analysis, develop and implement a risk management plan, revise its policies and procedures, and train its staff on the policies and procedures.