Kansas Employment Law Blog Photo
HIPAA Enforcement: Watch Out for Disabled Firewalls

I've been fairly diligent in reporting on enforcement actions taken by HHS under the HIPAA privacy and security rules over the past year or so. If you've followed those posts, the outcome of the following case will not surprise you. 

In a recent press release, HHS announced a $400,000 settlement and resolution agreement with Idaho State University relating to violations of the HIPAA security rule that resulted in a data breach with respect to 17,500 patients of a primary care clinic operated by the university. The breach occurred when a firewall providing security for a server storing patient data was disabled, leaving the data unsecured. The press release and resolution agreement do not indicate that any actual disclosure of the patient data occurred. But the firewall had been disabled for 10 months before the clinic or university realized it. 

Yes, 10 months.

Quoting from the press release: "[HHS] concluded that ISU did not apply proper security measures and policies to address risks to ePHI and did not have procedures for routine review of their information system in place, which could have detected the firewall breach much sooner." In other words, they weren't trying hard enough - maybe not at all.

Here are a few takeaways:

  • The HIPAA security rule is just as potent as the HIPAA privacy rule. Failure to comply with the security rule won't be excused just because there was no actual loss of privacy.
  • You have to try. The security rule is written in relative rather than absolute terms. For the most part, there are no hard-and-fast security requirements that must be met. But some effort must be made to adequately assess security risks and then monitor the data systems to determine whether there are any gaps or changes.
  • A reportable breach of protected health information can occur even without a loss of data. And the breach notification rule continues to do more than just tell HHS what kinds of problems are out there. They are actively pursuing enforcement actions based on those breach notifications. 

And remember, it's not just health care providers that are subject to these rules. Group health plans must comply as well and will be held to the same high standards as health care providers.


Don Berner Image
Don Berner, the Labor Law, OSHA, & Immigration Law Guy
Boyd Byers Image
Boyd Byers, the General Employment Law Guy
Jason Lacey Image
Jason Lacey, the Employee Benefits Guy
Additional Sources
Subscribe to Kansas Employment Law Letter Image
Subscribe to Kansas Legislative Insights Image