On May 21, 2013, the Department of Health and Human Services (“HHS”) announced a resolution agreement and $400,000 settlement with Idaho State University (“ISU”) for a breach that affected 17,500 individuals.

The ISU settlement relates to servers that had their firewall protections disabled, which left the electronic protected health information (“ePHI”) of patients at ISU’s Pocatello Family Medicine Clinic unsecured for at least ten months. Following the submission of a breach report to the HHS Office for Civil Rights (“OCR”), an investigation determined that ISU allegedly had not complied with HIPAA Security Rule requirements, including by conducting an incomplete and inadequate risk analysis and by failing to “adequately implement procedures to regularly review records of information system activity to determine if any ePHI was used or disclosed in an inappropriate manner.”

Pursuant to the resolution agreement, ISU has agreed to pay $400,000 to HHS to settle the potential violations. In addition, the Corrective Action Plan attached to the resolution agreement requires ISU to: (1) provide HHS with documentation designating it a hybrid entity and identifying all of its designated covered health care components, (2) provide its risk management plan to HHS, (3) submit records pertaining to the implementation of its information system activity review across its covered health care components, (4) conduct and document a compliance gap analysis, and (5) investigate and report any violation of its HIPAA Privacy and Security policies and procedures to HHS within 30 days of the investigation. The report to HHS must include a detailed description of the facts, the relevant HIPAA policy or procedure violated, and any sanctions or remediation measures taken.

In announcing the settlement, OCR Director Leon Rodriguez noted that risk analyses and information system activity reviews comprise the “cornerstones of an effective HIPAA security compliance program.”