Like many universities, Idaho State University (ISU) operates a number of health facilities, some of which are subject to the HIPAA privacy and security regulations. According to a U.S. Department of Health Human Services (HHS) press release, the Office for Civil Rights (OCR) opened an investigation after ISU notified HHS of a breach in which the electronic "protected health information" (ePHI) of approximately 17,500 patients was unsecured for at least 10 months, due to the disabling of firewall protections at servers maintained by ISU. To settle the alleged violations of the HIPAA security rules, ISU has agreed to pay $400,000, and to comply with a two-year corrective action plan.

OCR’s action here is consistent with prior reported breaches and with its discussions of enforcement in recent final regulations, which we reported on. It is important to note that OCR’s investigation indicated that:

ISU’s risk analyses and assessments of its clinics were incomplete and inadequately identified potential risks or vulnerabilities. ISU also failed to assess the likelihood of potential risks occurring.

Additionally, OCR concluded that ISU did not apply proper security measures and policies to address risks to ePHI and did not have procedures for routine review of their information system in place, which could have detected the firewall breach much sooner.

This makes clear that it is NOT sufficient to simply create policies and procedures that safeguard protected health information. A HIPAA covered entity must conduct and document a risk assessment, a process OCR Director Leon Rodriguez noted is a cornerstone of an effective HIPAA security compliance program. This basic requirement also applies to business associates, and is a common sense practice any entity should follow when setting out to safeguard data.