Disobeying HIPAA rules can incur severe fines, as found by Idaho State University this month. The organization has lately been compelled to settle down with the Division of Health and Human Services’ Office of Civil Rights for suspected breaches of the HIPAA Privacy Law. Penalties were issued for HIPAA non-compliance problems pertaining to inadequacies, network security which revealed secret patient health info to 3rd parties.
ISU had applied the requisite control measures to avoid health data from being approachable by illegal people, even though it failed to carry out checks to make sure that the security steps it had applied had continued in place.
The security infringement happened when the Pocatello Family Medicine Clinic deactivated the firewall that was defending a server having medical health files of its 17,500 patients. The firewall was idle for a duration of 10 months causing the data unprotected and possibly accessible to illegal 3rd parties for an objectionable period of time.
As per the HHS, ISU runs 29 outpatient hospitals and is obliged by HIPAA rules to safeguard electronic health files at as many as 8 of its centers. The violation happened at one of the hospitals where ISU was needed to set up information technology security systems.
As soon as ISU knew the violation in August 2011 it circulated a breach notice and the Office for Civil Rights carried out an inquiry which started in November 2011. The inquiry verified the security violation because of a disabled firewall, and also found that insufficient risk studies had been carried out at the clinics during a period of 3 years.
The OCR also established that inadequate action was taken to tackle future dangers: Applying processes to safeguard data is inadequate in itself. Procedures and policies must be regularly revisited to make sure that weaknesses don’t develop.
If the policies, procedures, and system been examined as needed under the HIPAA Safety Law, ISU would have known the disabled firewall and might have taken swift action to tackle the problem. While the security problem might not have been avoided, the duration of time the data was unprotected would definitely have been restricted.
As per Leon Rodriguez, OCR Director, “Ongoing risk management, risk analysis, and regular information system examinations are the foundations of an efficient HIPAA safety compliance program.”
Besides having to pay the $400,000 reimbursement, ISU has agreed to put into operation an action plan which includes a detailed evaluation of all procedures and policies to make sure that any remaining weaknesses are known and tackled.