Lessons from the Idaho State University CAP

Back in 2011, Idaho State University (Idaho State) experienced a breach of PHI affecting approximately 17,500 individuals after firewalls on its servers were disabled at one of its outpatient clinics. It appropriately notified HHS in August of that year whereafter (surprise, surprise) HHS informed Idaho State that it would be investigating Idaho State's compliance with HIPAA.

HHS released news of its settlement with Idaho State on May 21, 2013, with Idaho State agreeing to pay $400,000 as part of the Corrective Action Plan (CAP) to resolve allegations that:

  • It did not conduct a risk analysis for over 5 (five) years;
  • It did not implement security measures sufficient to reduce risks and vulnerabilities to ePHI for that same period;
  • It did not implement procedures to regularly review information systems activity for that same period.

As part of the CAP, Idaho State, which operates as a hybrid entity with several covered entity components, must beef up its documentation and specifically designate its covered entity components (i.e., its outpatient clinics). Unsurprisingly, Idaho State is also required to provide HHS with its most recent risk management plan and information systems activity policies for "review and approval" by HHS.  Idaho State must also complete and submit a compliance gap analysis indicating all changes to compliance status with the required provisions of the Security Rule. 

Although Idaho State experienced a breach of PHI AND was informed in November of 2011 that HHS was investigating its compliance with HIPAA, according to HHS, Idaho State did not get around to performing a risk assessment, reviewing information systems activity or identifying gaps in security measures until the summer of 2012 and post-Thanksgiving, November 26, 2012. It is baffling that, after experiencing a breach which was caused by firewall protections being physically disabled for over 10 months, Idaho State appears to have not done much to assess and safeguard against future problems. 

Or did it? Maybe it was just too little, too late. But part of Idaho State's problem could simply have been that it couldn't prove what steps it had taken towards HIPAA security compliance.  Although Idaho State clearly dropped the ball in failing to realize firewalls protections were disabled for almost a year at its Pocatello Family Medicine Clinic, it may have been more compliant than the CAP suggests and simply had nothing to show.

Increasingly, covered entities are realizing that saying and believing they are HIPAA compliant is about as effective with OCR as your teenager telling you he cleaned his room as he runs out the door to the movies.  It's like high school all over again - if you can't "show your work" and prove your HIPAA compliance through documentation, regular reports and reviews, and clearly defined privacy and security policies procedures, OCR simply isn't going to buy it when they show up at your door. 

To be sure, many covered entities have been completely lax about security until now.  Conducting a comprehensive risk assessment (documenting that it was done and periodically reviewed) and having processes in place for ongoing risk management are some of the biggest things OCR has repeatedly been driving home.  Too often, as Idaho State's CAP illustrates, security risk assessments are inadequate and fail to properly identify security risks and vulnerabilities to ePHI. 

On the other hand, many covered entities think that they are compliant with the Security Rule, but really aren't.  A covered entity may conduct a risk assessment of its EHR or EMR, for example, but fail to assess the security risks and vulnerabilities associated with other systems that feed into it or maintain PHI, or with workflow processes, resulting in PHI accidentally being made available online (think Phoenix Cardiac Surgery or Stanford Hospital). Furthermore, where risks and vulnerabilities are identified, appropriate security measures are not always evaluated and action taken as needed to correct them.

As we can see from Idaho State, performing a comprehensive risk assessment now isn't necessarily going to cure your failure to do so before and an overwhelming number of covered entities could still be in the hotseat even if they are actively beefing up their HIPAA privacy and security. And there's still the risk that what has and is being done is simply too little to satisfy OCR. 

However, good faith efforts and diligence to bring your organization into compliance with the Security Rule implementation standards and specifications will go a long way toward lessening the likelihood and impact of an unwanted OCR investigation, not to mention minimizing the risk of breach and harm to your patients and organization.  It is far easier to seek forgiveness for past transgressions from OCR with a robust updated HIPAA security management program in hand.