Health Law Blog - Healthcare Legal Issues

Posts Tagged ‘hipaa issues’

Malware Infection Causes Breach – Lack of Firewall – Hybrid Entity

Friday, January 27th, 2017

Malware Infection and Lack of Firewall Protection Causes Breach

In yet another significant settlement by OCR, the University of Massachusetts Amherst (UMass) agreed to a monetary penalty of $650,000 resulting from a workstation that was contaminated with a malware program and resulted in impermissible disclosure of electronic health information.  This disclosure involved information about 1,670 individuals and included names, addresses, social security numbers, dates of birth, health insurance information, diagnoses and procedure codes.  The provider had determined that the malware was a generic remote access Trojan that was able to infiltrate their system because a proper firewall was not in place.

Central to OCR’s analysis was that the provider had failed to identify the components located in its hearing center as being part of covered components.  This resulted in the provider failing to apply and ensure compliance with HIPAA privacy and security rules at that location.  HIPAA permits legal entities that have some functions that are covered by HIPAA and some that are not to elect to become a “hybrid entity.”  To successfully “hybridize,” the entity must designate in writing the health care components that perform functions covered by HIPAA and assure HIPAA compliance for its covered health care components.  It was the failure to proper follow the hybrid entity rules that left the components at the applicable site vulnerable to outside malware attack.

UMass failed to implement technical security measures at the Center to guard against unauthorized access to ePHI transmitted over an electronic communications network by ensuring that firewalls were in place at the applicable location.  This settlement stresses the need to assure that all protected information is properly secured and that firewalls are used when needed.  It is also instructional regarding the proper application of the rules relating to hybrid status.

John H. Fisher

Health Care Counsel
Ruder Ware, L.L.S.C.
500 First Street, Suite 8000
P.O. Box 8050
Wausau, WI 54402-8050

Tel 715.845.4336
Fax 715.845.2718

Ruder Ware is a member of Meritas Law Firms Worldwide

Search
Disclaimer
The Health Care Law Blog is made available by Ruder Ware for educational purposes and to provide a general understanding of some of the legal issues relating to the health care industry. This site does not provide specific legal advice and you should not use the information contained on this site to address your specific situation without consulting with legal counsel that is well versed in health care law and regulation. By using the Health Care Law Blog site you understand that there is no attorney client relationship between you and Ruder Ware or any individual attorney. Postings on this site do not represent the views of our clients. This site links to other information resources on the Internet; these sites are not endorsed or supported by Ruder Ware, and Ruder Ware does not vouch for the accuracy or reliability of any information provided therein. For further information regarding the articles on this blog, contact Ruder Ware through our primary website.