September 26, 2021

Volume XI, Number 269


September 24, 2021

Subscribe to Latest Legal News and Analysis

University Pays $400,000 for Unsecured Electronic Protected Health Information

A recent resolution agreement between the United States Department of Health and Human Services, Office for Civil Rights (HHS) and Idaho State University (ISU) requires payment of $400,000 and implementation of a corrective action program to address the breach of unsecured electronic protected health information (ePHI) of approximately 17,500 patients.  According to public information published by HHS (U.S. Department of Health & Human Services), ISU notified federal regulators of a breach and cooperated with an investigation headed by OCR (HHS Office for Civil Rights).   “Risk analysis, ongoing risk management, and routine information system reviews are the cornerstones of an effective HIPAA security compliance program,” said OCR Director Leon Rodriguez. “Proper security measures and policies help mitigate potential risk to patient information.” HHS Press Release

The key findings of the investigation were as follows:

  1.  ISU did not conduct an analysis of the risk to the confidentiality of ePHI as part of its security management process from April 1, 2007 until November 26, 2012;

  2.  ISU did not adequately implement security measures sufficient to reduce the risks and vulnerabilities to a reasonable and appropriate level from April 1, 2007 until November 26, 2012; and

  3.  ISU did not adequately implement procedures to regularly review records of information system activity to determine if any ePHI was used or disclosed in an inappropriate manner from April 1, 2007 until June 6, 2012.

See Resolution Agreement Here.  It should be noted that ISU admitted no fault.

Seen in a broader context, data breach is increasingly costly for public entities and private companies alike. Regulatory action and potential civil liability are on the increase under HIPAA and across all business sectors. For example the Federal Trade Commission (FTC) regularly addresses circumstances where private companies engage in unfair or deceptive acts involving customer data or  fail to follow their privacy polices specially where children are concerned.

Click here for a summary of laws and resources for business on data privacy and security including information on:

  • Children’s Online Privacy Protection Act (COPPA)

  • The Gramm-Leach-Bliley Act

  • U.S.-EU Safe Harbor Framework

All businesses should have a risk assessment completed and should implement reasonable practices and procedures for securing data, especially electronic protected health information (ePHI) or other personally identifiable  information (PII). The FTC publication Protecting Personal Information: A Guide for Business . A Privacy and Data Security attorney can work with businesses to reduce the risks associated with potential data breach. Another thing to consider is insurance for cyber liability and data breach which is increasingly available at reasonable prices. Consult your insurance professional for more information on available coverage and costs. 

© 2021 by Raymond Law Group LLC.National Law Review, Volume III, Number 143

About this Author

Bruce Raymond Litigation Attorney Raymond Law Group

Bruce H. Raymond has served as lead counsel in over 1000 litigated cases in over 20 years of trial practice in state and federal courts in Connecticut and Massachusetts. Attorney Raymond has obtained many favorable results for clients in jury trials. His experience includes business litigation, products liability, toxic torts including asbestos, and intellectual property matters. He has litigated personal injury insurance defense cases including motor vehicle accidents, premises liability, liquor liability, and professional liability matters.

Attorney Raymond was elected President...