So we are barely out of November, and we have our thirteenth major HIPAA enforcement action for 2016. On November 22, 2016, the Office of Civil Rights ("OCR") announced it had reached a settlement with University of Massachusetts Amherst including a fine of $650,000 and a required corrective action plan. The settlement was reached after OCR's investigation of a 2013 breach involving malware on a university computer. This tale is hardly anything new, although it shows OCR is making good on its promise to step up enforcement in 2016. This story also reminds us there are no small breaches of security; all come with significant costs.
What happened. According to the OCR, a workstation in the school's Center for Language, Speech, and Hearing was infected with malware, resulting in the impermissible disclosure of electronic protected health information (ePHI) of 1,670 individuals. The ePHI included names, addresses, Social Security numbers, dates of birth, health insurance information, and procedure codes. The malware used was hardly the creation of a mad scientist hacker in the Ukraine. Rather, according to the OCR statement, it was a "generic remote access Trojan that infiltrated their system" and enabled the unauthorized access to ePHI. According to the school, there was "no evidence suggesting or indicating that any data was copied from the workstation." The university also has had no reports of misuse of the information or other indications of harm, but reminded students to be vigilant.
So what can we learn? This action is interesting as it involves some new twists and reminders for organizations of any size and in any sector. That said, some of the following points are tried and true data governance practices.
1. Hybrids have benefits, but risks. While UMASS Amherst had a HIPAA compliance program in place, the center that was hit by the attack was not designated as part of the HIPAA covered entity and therefore had not implemented the necessary safeguards to ensure HIPAA compliance. HIPAA, specifically 45 C.F.R. § 164.105, allows for "hybrid entities" or entities that perform both HIPAA and non-HIPAA regulated services. More simply, a hybrid entity may perform both healthcare and non-healthcare functions. To be compliant, a school must designate in writing those parts that have a healthcare component and those that do not. The OCR stressed these critical requirements in its statement, "Entities that elect hybrid status must properly designate their healthcare components and ensure that those components are in compliance with HIPAA's privacy and security requirements." UMASS Amherst failed to designate the center where the breach occurred as a HIPAA-covered component.
2. Hybrids of another kind. To be clear, this OCR enforcement action was under HIPAA only. However, it is worth noting that universities and other schools in the United States are also regulated by the Family Educational Rights and Privacy Act, or "FERPA." Both laws can govern the collection, use and sharing of student information. In fact, FERPA includes exemptions for student information contained in medical records in certain situations. The point is that it is critical to properly categorize and map the flow of personal information within and outside your organization. Only with this done, can you properly determine what laws apply and when. A solid governance program is rooted in understanding which rules (laws) apply, and keeping up with that assessment. (This, of course, is to say nothing of individual state breach laws that must be considered in a breach like the one at UMASS Amherst.)
3. Administrative, Technical and Physical Safeguards. If you read our blog regularly, you already know that I go on and on about these three important components to any data governance plan. But including such safeguards is not just a best practice. In truth, many laws, including HIPAA, mandate such safeguards or at least include a requirement for their consideration as part of a risk assessment. Two of the three were indicated as lacking in the OCR's report on UMASS Amherst.
a. Technical. UMASS failed to implement technical security measures to guard against unauthorized access to ePHI by ensuring that firewalls were in place. Firewalls should be considered a standard part of any layered security program. Other safeguards that can help in such cases are intrusion detection services, anti-malware and anti-virus software. HIPAA does not necessarily mandate one or all of them, but the law does expect reasonable and commercial available safeguards to be implemented in line with an entity's capabilities. The NIST "crosswalk" is a great tool by which you can evaluate your safeguards against the HIPAA Security Rule.
b. Administrative. While technical safeguards get all the press, there is simply no better place to start getting your governance plan together than by implementing strong administrative safeguards around your data. Such safeguards include policies, procedures, contracts, training, audits and risk assessments. Indeed, UMASS Amherst had not completed a risk assessment at the time of the breach and also had insufficient policies and procedures in place for a hybrid entity. You need only look as far as the OCR's Corrective Action Plan issued to UMASS Amherst to understand the importance of these safeguards in managing your risk.
4. "Small" Breach; Huge Costs. The UMASS Amherst breach resulted in less than 1,700 records being accessed. Relatively speaking, this is a small breach when considering the number of records. But the costs for the school are anything but small.
a. Financial. $650,000. That is a lot of money. But it is not the only financial expense. The school will have to implement a variety of changes to its compliance program that will also cost money, not to mention the time and resources to complete the tasks assigned. Included in the OCR's Correction Action Plan are the requirements to conduct a security risk analysis, develop a risk management plan, develop new policies and procedures, and conduct employee training. These can be significant undertakings representing a large operational cost which was likely not in anyone's budget. Better to plan and save for such expenses versus having them heaped on you.
IMPORTANT REMINDER: This is also a great opportunity to remind you to read your cyber insurance policies carefully to ensure regulatory actions (like this one by OCR) are covered. Often lawsuits and regulatory actions are treated differently under such policies. So, while I often recommend cyber insurance as part of your risk management tool box, you do need to do your homework on what is covered.
b. Reputational. A data breach never looks good, but it can be especially bad when basic protections and compliance steps are overlooked. Education and healthcare are two sectors in which we expect a commitment to privacy and security, especially when it comes to our children's information. Such a breach can damage students' trust, as well as that of their parents. Furthermore, when a federal agency issues a public report, details you may not want released can become public. For example, according to the OCR's press release, the amount of $650,000 was set based on "the fact that the university operated at a financial loss in 2015." While I suppose there is good news in that the fine could have been more, it surely is not outweighed by having such news shared this way.
As the year draws to a close, it is the perfect time to assess your data governance planning and make sure you have room in the budget to improve in 2017. The risk is ever-present. What you do today can save you time, money and so much more tomorrow. (Or, maybe $650,000 is "small breach" chump change for you and your business.)