Last month, the Department of Health and Human Services (HHS) entered into a resolution agreement with Idaho State University (ISU) to settle HIPAA violations related to ISU’s electronic health records system.  Under the agreement, ISU agreed to pay $400,000 to HHS to settle the claims. ISU’s HIPAA violations resulted from its failure to detect disabled firewalls in its electronic system.  The disabled firewalls left the health information of over 17,000 patients unsecured for ten months.

After investigating ISU’s security policies and procedures, HHS discovered multiple HIPAA violations in addition to the disabled firewalls, including the following:

  • From 2007 to 2012, ISU failed to conduct any risk assessments related to its electronic health information;
  • From 2007 to 2012, ISU failed to implement any measures to address vulnerabilities in its health information security; and
  • From 2007 to 2012, ISU failed to implement policies and procedures to review activity on its electronic health records system to discover any improper access.

The ISU case illustrates the importance of closely following the HIPAA Security Rule’s requirements to safeguard electronic health information.  Perhaps the most important of these requirements is the obligation to conduct a thorough risk assessment.  If ISU had performed a proper self-analysis of its health information security risks, it is possible that it could have detected and addressed the risks from a disabled firewall before the incident occurred.

To learn more about HIPAA or for assistance on conducting HIPAA risk assessments please contact Casey Moriarty.