The University of Massachusetts’ Amherst campus just learned a hard and incredibly expensive lesson about how serious the Department of Health and Human Services is about cracking down on HIPAA noncompliance.
In the 13th high profile fine of the year, the university was hit with a staggering $650,000 fine. Based on agency comments, it could have, and would have been much higher, but “…the university operated at a financial loss in 2015.”
What makes that statement all the more terrifying are the key facts surrounding the case, which are:
• The University voluntarily reported that a satellite office and language center was the subject of a generic malware infection designed to collect data and send it back to the hackers who own the code.
• They could not verify or rule out whether any protected health information had been put at risk during the period when the language center was infected.
• The malware would have put just 1,700 health records at risk.
What the case comes down to is the fact that although the language center was a satellite office, it was still possible to access PHI from that location. Although that was true, the university did not see the satellite office as part of the network that was required to be in compliance with HIPAA codes.
In addition to the fine, the university has agreed to a corrective action plan to help ensure that a similar incident does not happen in the future. This once more underscores just how seriously the government has begun to take HIPAA noncompliance.
If your firm is in any way involved with or connected to protected health information, it’s extremely important that you conduct a comprehensive review to ensure that you are fully compliant in order to avoid a fine like this one.
If you’re not sure and you need extra help, then don’t hesitate to contact us. One of our talented team members would be happy to work with you to analyze your compliance risks and work out a plan of action to ensure that your firm isn’t the next headline.