The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a $650,000 settlement with the University of Massachusetts Amherst (UMass) in the wake of potential HIPAA violations.

UMass reported a malware incident in June of 2013. According to the investigation, a workstation in the University’s Center for Language, Speech, and Hearing was infected with malware, resulting in the “impermissible disclosure” of the electronic protected health information (ePHI) of 1,670 individuals.

The breach was extensive and included the affected parties’ names, addresses, Social Security numbers, dates of birth, health insurance information, and diagnoses. UMass determined that the malware allowed a remote user access to ePHI because the Center did not have a firewall in place.

OCR discovered that UMass failed to designate the Center as a covered entity under HIPAA, and therefore did not implement the necessary compliance measures–including policies and procedures–at the site where the workstation was housed. UMass also failed to conduct a thorough security risk analysis until September of 2015.

“HIPAA’s security requirements are an important tool for protecting both patient data and business operations against threats such as malware,” said OCR Director Jocelyn Samuels.

HIPAA Compliance and Data Security

Security risk assessments are an essential part of an effective HIPAA compliance program, but they must be conducted alongside appropriately implemented HIPAA Privacy and Security standards. Policies and procedures must be executed throughout all parts of an organization that handle PHI and ePHI.

Malware poses a significant risk to health organizations around the country. OCR has released specific malware guidance for healthcare professionals to best protect their data from malicious software and hackers.

Implementing an organization-wide HIPAA compliance plan is the best way to contend with the threat of malware. In addition to protecting against hackers, a total HIPAA compliance plan will allow users to execute the necessary policies and procedures and security risk assessments to ensure that patient data is kept secure.

Third Party Verification and Validation

Need Help with HIPAA?

Let our complete HIPAA solution handle it.