Idaho State University Hit with Breach Penalty

by | May 29, 2013

The accidental disclosure of electronic Protected Health Information stored on one of Idaho State University’s servers has led to the Department of Health and Human Services’ Office for Civil Rights has issuing a large fine.

The University discovered that a server holding data on one of its HIPAA-covered clinics accidentally had the firewall disabled leading to a 10-month data security violation.

The OCR review found three main areas of non-compliance: A HIPAA Risk Analysis had clearly not been carried out, as if that had been the case, the deactivated server would have been discovered. There was no risk management process active which also could have found the problem and thirdly, an Information System Activity Review had not been completed. The HIPAA Security Rule requires all three of these procedures be implemented at a healthcare organization in order to be HIPAA-compliant. It was clear that ISU had, albeit unknowingly, violated HIPAA regulations without the OCR having to complete a full compliance assessment.

OCR Director, Leon Rodriguez said: “Risk analysis, ongoing risk management, and routine information system reviews are the cornerstones of an effective HIPAA security compliance program”. Ensuring current systems have the required safeguards used to ensure data security is maintained does not mean that those measures will always remain in place.

Updates to policies, strategies and procedures should naturally follow rule amendments and the introduction of new legislation, but organizations should not wait for congress to introduce stricter measures before revising current data protection systems and internal policies. Data security needs to be monitored, tested and updated constantly to ensure that it still confirms to the same standards as when it was introduced, and in the case of Firewalls, to ensure they are still place.

Any healthcare organization that has taken steps to become HIPAA-compliant yet has not finished a further Security Risk Analysis or Information System Activity Review is in all likelihood now breachng HIPAA regulations. If audited it could be his with sanctions for non-compliance. Along with financial penalties, the OCR requires that organizations read the guidance released via its website, which clearly outline what is required in order to be HIPAA compliant. All HIPAA-covered bodies are obliged to read these guidelines.

HIPAA regulations often do not spell out the means by which a rule must be adhered to and some flexibility is allowed for organizations to apply the controls which are most suitable to work with the systems currently they have in place. There are some areas of data security that can be easily missed out, especially by smaller healthcare organizations and those recently included by HIPAA Rule amendments.

Included in these are :

  1. Install Firewalls and Check they are Working
    • Firewalls are an obstacle between your internal computer systems and everyone else with internet access. They are vital to stop your data from being accessible freely on the internet and to stop hackers carrying out targeted attacks to steal PHI data. Firewalls can be 100% effective once they are switched on and the license is in date. When a firewall is turned off, it means hackers can gain access a computer and firewall rules can be altered to maintain access when it is reactivated.
  2. Implementing Very Restrictive Anti-Virus Policies
    • Firewalls can protect a system from intrusion and many have anti-virus features, although additional controls should be employed to prevent accidental infection. These measure must be updated on a regular basis routinely, licenses checked and systems scanned persistently as an additional control safeguard to ensure that should an infection have gotten through controls, that it is quickly identified and amended. A firewall and antivirus software should be installed and watched by a qualified IT Professional.
  3. Security Monitoring on an Ongoing Basis
    • Not all network violations raise alarms as the ISU security breach clearly remarked. Data security measures are only effective if they are active and firewalls can be switched off by mistake. It is therefore important to conduct regular data security checks and there are many advantages to employing an external data security company to continuously monitor data security and integrity; regularly update software, conduct the necessary reviews and provide documentation that these safeguards have been performed.
  4. Keep a Record of all HIPAA Compliance and Data Security Safeguards Employed
    • Putting in place the required controls under HIPAA to protect ePHI and computer systems from infiltration is only part of compliance. Should an organization be audited, documentation must be shown as evidence of the measures undertaken. Details of security settings in place must be provided, maintenance records kept, software upgrades and patches trackedd and provided to the OCR during an audit.

Details of Information System Activity Reviews, HIPAA Risk Analyses and their result and risk management processes must be documented, dated and accessible to auditors. An organization must be able to prove that they are adhering with HIPAA compliance rule.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy