- conduct an analysis of the risk to the confidentiality of ePHI as part of its security management process;
- adequately implement security measures sufficient to reduce the risks and vulnerabilities to a reasonable and appropriate level; and
- adequately implement procedures to review regularly records of information system activity to determine if any ePHI was used or disclosed in an inappropriate manner.
23 May 2013
Idaho State University Settles HIPAA Security Case for $400,000
Idaho State University ("ISU") has agreed to pay $400,000 to the U.S. Department of Health Human Services ("HHS") for violations of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") Security Rule. The settlement involves the breach of unsecured electronic protected health information ("ePHI") of 17,500 individuals who were patients at an ISU clinic. HHS found that ISU did not: