Menu Close

UMass Agrees to $650,000 HIPAA Settlement

Posted in Electronic Health Records, HIPAA and the HITECH Act, Hospitals and Institutions, Litigation, Privacy and Data Protection

The University of Massachusetts Amherst (UMass) recently agreed to pay $650,000 to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) to settle alleged HIPAA violations. OCR announced the settlement in a November 22 press release.

UMass’s problems stemmed from a malware infection in a computer workstation, resulting in the inadvertent disclosure of electronic protected health information (ePHI) of 1,670 people. OCR’s investigation revealed several potential violations, including failure to implement policies and procedures to ensure compliance with the HIPAA Privacy and Security Rules, failure to implement appropriate technical security measures to guard against unauthorized access to ePHI, and failure to conduct a timely and thorough risk analysis.

The settlement amount was reduced due to UMass’s financial condition. UMass also agreed to a corrective action plan that includes correcting the above violations and training its staff on HIPAA policies and procedures.

Leave a Reply

Your email address will not be published. Required fields are marked *