The University of Massachusetts at Amherst (UMass) agreed to a settlement with the Office for Civil Rights (OCR) over allegations that it had violated the HIPAA Privacy and Security Rules after a 2013 incident that resulted in the unauthorized disclosure of patient information of 1,670 individuals. The settlement includes a $650,000 penalty and a two-year corrective action plan. UMass is a postsecondary academic institution that provides health care through a student health center, behavioral counseling, and a clinic operated through its Center for Speech, Hearing and Language Therapy (Center). UMass had decided that the institution was a hybrid covered entity for purposes of the HIPAA Rules, but at the time of the incident had designated only the student health center as a HIPAA covered component.
According to OCR, a workstation in the UMass Center was infected with a malware program, which resulted in the disclosure of electronic protected health information (ePHI) of 1,670 individuals treated through the clinic, including names, addresses, social security numbers, dates of birth, health insurance information, diagnoses and procedure codes. The university determined that the malware was a generic remote access Trojan that infiltrated their system, providing impermissible access to ePHI, because UMass did not have a firewall in place.
Why This is Important
Unlike most targets of previous OCR fines, UMass is accused of not correctly “hybridizing”. Organizations that have some functions that fall under HIPAA and some that don’t are allowed to exclude non-health related activities from the requirements that restrict how information may be used or disclosed. UMass hadn’t included the Center for Language, Speech, and Hearing as a HIPAA covered component, and had not applied the privacy and security safeguards to the clinic when it was hacked in 2013.
The HIPAA Rules apply to any entity or its components of an entity that would by definition make the entity a health plan, health care provider, or health information clearinghouse. The definition of health care is very broad, encompassing most any therapeutic treatment or counseling services as well as dispensing any drug or health related item. A health care provider is an organization that furnishes, bills, or is paid for health care in the normal course of business and engages in an electronic transaction covered by HIPAA (e.g. electronically submits claims for reimbursement to any third party).
A postsecondary institution that is a HIPAA covered entity may have health information to which the Privacy Rule may apply to the health records of non-students treated through its health clinic, as well as records maintained by other programs, departments, and services offered through the institution. The HIPAA Privacy Rule permits entities like universities that have some functions that are covered by HIPAA and some that are not to elect to become a “hybrid entity.” To successfully “hybridize,” the institution must identify those activities which would make them a HIPAA covered entity, designate in writing the health care components that perform functions covered by HIPAA and assure HIPAA compliance for its covered health care components.
What Action is Recommended
Colleges and universities should take a fresh look at how the HIPAA privacy and security requirements apply to the institution. Many colleges and universities undertook a review of their institutions to identify its HIPAA covered components when the Privacy Rule took effect in 2003. However, the activities of the college and university should be evaluated on a periodic basis to assure continued compliance in light of technological, regulatory or operational changes that could affect how the activities of the institution may fall within the definition of a covered entity. Postsecondary institutions should carefully assess each of its activities by asking if it falls into the definition of “health care” and to determine if it seeks third party reimbursement electronically for its health care services. Examples of health care services for which there is reimbursement include medical services, dental clinics, pharmacies, eyeglasses and contact lens dispensaries, and behavioral health counseling services.
Institutions should also consider if they a covered entity under HIPAA Rules that apply for “Health Plans”. With the implementation of the Affordable Care Act (ACA), many colleges and universities may now sponsor health plans or insurance programs that pay for care provided to its students, faculty, and staff.
Successful hybridization colleges and universities require careful assessment of the activities of the institution and extending the safeguards for PHI required under HIPAA. After identifying and designating their health care components, colleges and universities must ensure that those components are in compliance with HIPAA’s privacy and security requirements. Senior leaders have the responsibility for extension of the institution’s HIPAA policies to the health care covered components, as well as conducting an enterprise-wide information security risk analysis that assesses the technological, environmental, and operational features of each of the HIPAA covered components.