Malware Infiltration Results in $650,000 HIPAA Settlement | Practical Law

Malware Infiltration Results in $650,000 HIPAA Settlement | Practical Law

The Department of Health and Human Services (HHS) has announced a settlement with an East Coast university involving potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) resulting from a malware infection at one of the university's facilities. The university will pay $650,000 to settle the potential HIPAA violations and must comply with numerous requirements under a corrective action plan.

Malware Infiltration Results in $650, 000 HIPAA Settlement

Practical Law Legal Update w-004-6595 (Approx. 6 pages)

Malware Infiltration Results in $650,000 HIPAA Settlement

by Practical Law Employee Benefits & Executive Compensation
Published on 25 Nov 2016USA (National/Federal)
The Department of Health and Human Services (HHS) has announced a settlement with an East Coast university involving potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) resulting from a malware infection at one of the university's facilities. The university will pay $650,000 to settle the potential HIPAA violations and must comply with numerous requirements under a corrective action plan.
On November 22, 2016, HHS announced a $650,000 settlement with an East Coast university involving potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HHS's investigation occurred after the university informed the government of a malware infection at one of its facilities that resulted in disclosure of the electronic protected health information (ePHI) of more than 1,600 individuals (see the HIPAA Privacy, Security, and Breach Notification Toolkit and Practice Note, HIPAA Enforcement and Group Health Plans: Penalties and Investigations).
The university chose to be a hybrid entity for HIPAA purposes, a status that is available for entities with some functions that are covered by HIPAA and others that are not. To elect hybrid status, an entity must:
  • Designate in writing the health care components that perform functions that are subject to HIPAA.
  • Assure HIPAA compliance for the covered health care components.

Scope of HIPAA Compliance Failures

In June 2013, the university informed HHS that a workstation at one of its facilities had been infected by malware (that is, a generic remote-access Trojan), which resulted in the breach of unsecured ePHI affecting more than 1,600 individuals (see Practice Note, HIPAA Breach Notification Rules for Group Health Plans). The information included individuals' names, addresses, social security numbers, dates of birth, health insurance information, diagnoses, and procedure codes. Later that summer, HHS began an investigation of the university's compliance with HIPAA's privacy, security, and breach notification rules (see Practice Notes, HIPAA Privacy Rule and HIPAA Security Rule).
HHS's investigation revealed that the university had failed to designate all of its health care components when "hybridizing" for HIPAA purposes. The university incorrectly determined that the facility at which the breach occurred was not a covered health care component under the hybrid entity rules. As a result, the university did not implement:
  • HIPAA policies and procedures at the facility.
  • Technical security measures at the facility, including a firewall to prevent unauthorized access to ePHI transmitted over an electronic communications network.
HHS's investigation also indicated that the university:
  • Did not perform a full and accurate risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all its ePHI.
  • Violated HIPAA's privacy rule by providing access to the ePHI of more than 1,600 individuals whose information was maintained on a workstation at the facility that was infected by malware.

Corrective Action Plan

In addition to the $650,000 payment, the university must adhere to a corrective action plan (CAP) that includes a risk analysis and various other obligations.

Risk Analysis and Risk Management Plan Required

The university must perform a comprehensive risk analysis of the potential risks and vulnerabilities to ePHI that it holds. The risk analysis must:
  • Include all the university's facilities, whether owned or rented.
  • Assess the risks to ePHI on all of the university's electronic equipment, data systems, and applications that:
    • are controlled, administered, or owned by the university or any of its entities; and
    • contain, store, transmit, or receive ePHI.
Before performing the risk analysis, the university must develop a complete inventory of all its facilities, electronic equipment, data systems, and applications that contain or store ePHI (all of which must be included in the risk analysis).
The university also must provide documentation supporting a review of current security measures and risk levels to its ePHI associated with:
  • Network segmentation.
  • Network infrastructure.
  • Vulnerability scanning.
  • Logging and alerts.
  • Patch management.
The university will have 180 days to provide its risk analysis to HHS, for the government's approval.
In addition, the university must develop an enterprise-wide risk management plan to address and mitigate any security risks and vulnerabilities revealed in its risk analysis. The plan must include a process and timeline to govern the university's implementation, evaluation, and revision of its "risk remediation" activities.

Revised Policies and Procedures

The university must review and revise the written HIPAA policies and procedures for the facility where the breach occurred. The university must then:
  • Provide its policies and procedures to HHS for review and approval, within 90 days of when HHS approves the university's risk analysis.
  • Adopt the policies and procedures within 30 days of when HHS approves them.
The university also must distribute the policies and procedures to:
  • All members of the facility's workforce who use or disclose ePHl, within 30 days of when HHS approves the policies and procedures.
  • New workforce members who will use or disclose ePHI, within 30 days of when they start work.

HIPAA Training and Certifications

All university workforce members at the facility with access to ePHI must receive specific training on the university's policies and procedures, as revised:
  • Within 90 days of when the policies and procedures are adopted.
  • At least annually thereafter.
(See Standard Document, HIPAA Training for Group Health Plans: Presentation Materials.)
Individuals who will have access to ePHI that join the university after the initial training period must be trained within 30 days of when they start.
Individuals required to attend training also must certify, in electronic or written form, that they received the training. The training certification must specify the date on which the training was received. The university must review its training at least annually, and update it for relevant developments that include:
  • Changes in federal law or HHS guidance.
  • Any issues discovered during audits or reviews.

Practical Impact

HHS HIPAA settlement agreements involving malicious malware are becoming more common. A year ago, HHS announced a similar settlement with a university that was the victim of a malware attack (see Legal Update, Malicious Malware Leads to $750,000 HIPAA Settlement). In this most recent enforcement action, however, the university was especially vulnerable to attack because its failure to identify the facility where the breach occurred as a health care component under HIPAA's hybrid rules meant that the facility was not protected by a firewall that might otherwise have prevented the malware infiltration.
HHS implies that the $650,000 settlement payment in this case would have been greater, but for the fact that the university operated at a financial loss during 2015. Under the current administration, settlement agreements typically involve multi-million dollar payments (see Legal Update, HHS Claims a Record Haul With $5.55 Million HIPAA Settlement). (Regarding other recent resolution agreements in the HIPAA compliance space, see Practice Note, HIPAA Enforcement and Group Health Plans: Penalties and Investigations.)
Earlier this year, HHS offered guidance addressing a type of malware known as ransomware (see Legal Update, Ransomware Attacks Addressed in HIPAA Security Guidance). Some of the HIPAA security measures addressed in that guidance (for example, training users on malicious software protection so they can detect malicious software and know how to report such detections) may be instructive to HIPAA covered entities and business associates in preventing malware attacks in general.