The University of Massachusetts Amherst (UMass) recently agreed to pay $650,000 to the U.S. Department of Health and Human Services Office for Civil Rights (OCR) to settle alleged HIPAA violations. OCR announced the settlement in a November 22 press release.
UMasss problems stemmed from a malware infection in a computer workstation, resulting in the inadvertent disclosure of electronic protected health information (ePHI) of 1,670 people. OCRs investigation revealed several potential violations, including failure to implement policies and procedures to ensure compliance with the HIPAA Privacy and Security Rules, failure to implement appropriate technical security measures to guard against unauthorized access to ePHI, and failure to conduct a timely and thorough risk analysis.
The settlement amount was reduced due to UMasss financial condition. UMass also agreed to a corrective action plan that includes correcting the above violations and training its staff on HIPAA policies and procedures.