The HHS Office for Civil Rights has once again sanctioned a healthcare provider organization for violating HIPAA privacy and security rules.

The University of Massachusetts Amherst, known as UMass, will pay a $650,000 settlement fine and enter into a two-year corrective action plan.

The sanctions follow UMass reporting to OCR in June 2013 that a workstation infected with malware resulted in disclosure of protected health information on 1,670 individuals. Malware infected a workstation in the UMass Center for Language, Speech and Hearing because no firewall was in place.

OCR contends that UMass had incorrectly determined that the Center for Language, Speech and Hearing, which was the unit that experienced the breach, was not a covered entity under the HIPAA rules.

Further, OCR determined that while the breach occurred in mid-2013, UMass did not conduct and accurate and through risk analysis until September 2015. In recent years, OCR has increasingly been stringent on the need of HIPAA-covered entities to conduct risk analyses and address vulnerabilities.

The corrective action plan requires an enterprisewide risk analysis, development and implementation of a risk management plan, revised policies and procedures, and training of staff.

“Prior to conducting the risk analysis, UMass shall develop a complete inventory of all of its facilities, electronic equipment, data systems and applications that contain or store electronic protected health information that will then be incorporated into its risk analysis,” the corrective action plan states.

Further, UMass “shall provide documentation supporting a review of current security measures and level of risk to its ePHI associated with the following: network segmentation, network infrastructure, vulnerability scanning, logging and alerts, and patch management,” according to the plan.

UMass issued the following statement to Health Data Management:

“The University of Massachusetts Amherst recognizes that corrective action is needed to ensure the security of individuals’ protected health information. The university has already begun work to develop and implement a plan to improve its procedures to ensure the security of such private electronic records. In the case cited by HHS, the university voluntarily reported the discovery of malware on a workstation. An intensive evaluation of the incident located no evidence suggesting or indicating that any data was copied from the workstation, but could not rule out the possibility. The university received no reports of a third party gaining access to protected health information.”

(This article appears courtesy of our sister publication, Health Data Management)