The U.S. Department of Health and Human Services (HHS) has reported a $400,000 settlement with Idaho State University (ISU) for alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. The incident giving rise to the investigation by the HHS Office for Civil Rights (OCR) involved a potential exposure of information about 17,500 patients over a ten-month period.

OCR has enforcement authority of the HIPAA Privacy and Security Rules. When a breach is reported to HHS, as required by the breach notification rules, OCR typically initiates an investigation regarding the reporting organization’s compliance with the breach notification requirements as well as the state of compliance with the HIPAA Privacy and Security Rules. In this case, OCR concluded that:

(1)  ISU failed to conduct an appropriate risk assessment between April 1, 2007 and November 26, 2012;

(2)  ISU failed to implement adequate security protections during the same time period to protect electronic protected health information (ePHI); and

(3)  ISU did not regularly review information system (IS) activity to determine if ePHI was inappropriately used or disclosed.

These points are all significant and emphasize the importance of a healthcare organization’s actions taken to evaluate its risks and appropriately respond to vulnerabilities. Moreover, point three supports OCR’s expectation that organizations regularly review IS activity (e.g., audit trails and logging) to determine if there has been an impermissible use or disclosure of ePHI, or if the security protections in place need to be changed.

The Resolution Agreement includes a two-year corrective action plan (CAP) in addition to the monetary settlement. The CAP imposes numerous obligations on ISU, including annual reporting requirements as follows:

(1) summary of the risk management plan, security measures, and training;

(2) summary of IS activity review measures and evidence of training related to those measures;

(3) update on compliance gap analysis activity;

(4) summary of reportable events and corrective/preventative action;

(5) attestation from an ISU officer that the annual report is accurate and truthful.

OCR’s 13th resolution agreement demonstrates the priority an organization must place on taking proactive steps to continuously assess and timely respond to risk. In addition, the resolution agreement continues to support the notion that compliance is a C-Suite issue and documentation is critical to support your compliance efforts.