A recent resolution agreement between the United States Department of Health and Human Services, Office for Civil Rights (HHS) and Idaho State University (ISU) requires payment of $400,000 and implementation of a corrective action program to address the breach of unsecured electronic protected health information (ePHI) of approximately 17,500 patients.  According to public information published by HHS (U.S. Department of Health & Human Services), ISU notified federal regulators of a breach and cooperated with an investigation headed by OCR (HHS Office for Civil Rights).   “Risk analysis, ongoing risk management, and routine information system reviews are the cornerstones of an effective HIPAA security compliance program,” said OCR Director Leon Rodriguez. “Proper security measures and policies help mitigate potential risk to patient information.” HHS Press Release

The key findings of the investigation were as follows:

  1.  ISU did not conduct an analysis of the risk to the confidentiality of ePHI as part of its security management process from April 1, 2007 until November 26, 2012;
  2.  ISU did not adequately implement security measures sufficient to reduce the risks and vulnerabilities to a reasonable and appropriate level from April 1, 2007 until November 26, 2012; and
  3.  ISU did not adequately implement procedures to regularly review records of information system activity to determine if any ePHI was used or disclosed in an inappropriate manner from April 1, 2007 until June 6, 2012.

See Resolution Agreement Here.  It should be noted that ISU admitted no fault.

Seen in a broader context, data breach is increasingly costly for public entities and private companies alike. Regulatory action and potential civil liability are on the increase under HIPAA and across all business sectors. For example the Federal Trade Commission (FTC ) regularly addresses circumstances where private companies engage in unfair or deceptive acts involving customer data or  fail to follow their privacy polices specially where children are concerned.

Click here for a summary of laws and resources for business on data privacy and security including information on:

  • Children’s Online Privacy Protection Act (COPPA)
  • The Gramm-Leach-Bliley Act
  • U.S.-EU Safe Harbor Framework

All businesses should have a risk assessment completed and should implement reasonable practices and procedures for securing data, especially electronic protected health information (ePHI) or other personally identifiable  information (PII). The FTC publication Protecting Personal Information: A Guide for Business . A Privacy and Data Security attorney can work with businesses to reduce the risks associated with potential data breach. Another thing to consider is insurance for cyber liability and data breach which is increasingly available at reasonable prices. Consult your insurance professional for more information on available coverage and costs.