UMass To Pay $650,000 For HIPAA Violations

Written by: Richard Sheinis, Esq.

The University of Massachusetts Amherst is paying $650,000 to OCR to settle allegations of HIPAA violations that occurred in 2013. UMass neglected to designate their Center for Language, Speech and Hearing as a health care component (Oops!), and neglected to have the most basic electronic security in place, including a firewall. This resulted in the Center being infected with malware which exposed names, addresses, social security numbers, dates of birth and medical information. The Center had also not conducted a basic, HIPAA required risk analysis.

Having a risk analysis, which identifies weaknesses and vulnerabilities in the covered entity’s electronic security, is so basic to HIPAA, yet very few covered entities engage in a risk analysis, or its close cousin, a risk management plan. I suspect that one reason is that a risk analysis seems complicated, and HIPAA regulations do not provide much guidance on how to do it, so it ends up being ignored. Some covered entities think a risk analysis will be too painful, like going to the dentist, so they forget about it and hope for the best. After all, isn’t being hacked like a bad car accident or a heart attack, it always happens to someone else?

This is where I get on my soap box because I am constantly preaching the value of a risk analysis. It is important not just for HIPAA compliance, but because a properly performed risk analysis, which encompasses a technical security review, can yield useful information, which if acted upon, can really make the covered entity more secure. Okay, I am off my soap box. If you are a covered entity get a risk analysis done!

Leave a comment