University Must Pay $2.7 Million HIPPA Settlement


This settlement also could reflect an ongoing “raising of the bar” by HHS where HIPAA compliance is involved……………University did everything right except relationship with cloud vendor………


Despite Six Risk Analyses, University Must Pay $2.7 Million in HIPAA Settlement

  • Resource type: Legal Update: archive
  • Status: Published on 19-Jul-2016
  • Jurisdiction: USA

The Department of Health and Human Services (HHS) has announced a settlement of potential violations of the Health Insurance Portability and Accountability Act (HIPAA) involving a West Coast university. The university will pay $2.7 million to settle the potential HIPAA violations and must take corrective measures that include a risk management plan emphasizing encryption objectives.

Practical Law Employee Benefits & Executive Compensation

Despite performing six risk analyses in the span of 10 years, a university (and HIPAA covered entity) must pay $2.7 million to HHS for potential violations of HIPAA’s privacy and security requirements (see Practice Notes, HIPAA Privacy Rule and HIPAA Security Rule). In a resolution agreement and press release issued on July 18, 2016, HHS indicated that the university would also be required to undertake a comprehensive three-year corrective action plan.

HHS began its investigation after the university submitted notification reports to the government involving a breach of unsecured electronic protected health information (ePHI) from a stolen laptop computer (seePractice Notes, HIPAA Breach Notification Rules and HIPAA Enforcement: Penalties and Investigations, andHIPAA Toolkit). A second notification report involved a breach of individuals’ ePHI that was stored on a cloud-based server (see Practice Note, Cloud Computing and HIPAA Privacy and Security). HHS indicated that the ePHI stored on the server included individuals’ credit card and payment information, diagnoses, photos, driver’s license numbers, and Social Security numbers.

HHS acknowledged that the university had carried out at least six risk analyses from 2003 to 2013, though apparently those analyses were not enterprise-wide (see Practice Note, HIPAA Breach Notification Rules: Risk Assessment’s First Factor: Nature and Extent of PHI Involved). In HHS’s view, the university failed to timely address certain vulnerabilities identified in the risk analyses with appropriate measures. According to HHS, the university also permitted individuals’ ePHI to be disclosed to the third-party cloud-based service provider without:

HHS’s investigation indicated that the university had failed to adopt policies and procedures to detect, mitigate, and correct security violations. The university also lacked a process for encrypting and decrypting ePHI, though it had identified lack of encryption as a potential risk during its risk analyses.

Under its resolution agreement with HHS, in addition to the $2.7 million payment, the university must:

  • Comply with a corrective action plan (see Corrective Action Plan).
  • Submit annual reports detailing its compliance with the CAP for subsequent reporting periods.

Corrective Action Plan

Among other obligations, the CAP requires the university to:

  • Perform a thorough risk analysis of its ePHI vulnerabilities that includes all the university’s facilities and all systems, networks, and devices that create, receive, maintain, or transmit ePHI.
  • Develop a comprehensive “risk management plan” to ensure compliance with both HIPAA and the university’s internal privacy and security procedures.
  • Submit its risk management plan to HHS for approval within 310 days, and timely update the plan in response to HHS’s review of the plan.
  • Provide periodic updates to HHS regarding its efforts to encrypt university-owned and personally-owned mobile devices (including tablets and smart phones) that access ePHI on the university’s network.
  • Adopt policies to prohibit the transfer of data containing ePHI from university-owned and personally-owned devices to unencrypted removable storage devices (for example, USB drives and portable hard drives).

Training Materials

The CAP also requires the university to provide HHS with its training materials on HIPAA privacy and security awareness (see Standard Document, HIPAA Training: Presentation Materials). In the university’s case, the CAP includes specific content requirements for this training. For example, the training materials must address:

  • The use of internet-based information storage devices.
  • Disclosures to third parties that require a BAA or other reasonable assurances that a business associate will protect PHI and ePHI.
  • Training for managers regarding subordinates’ use and disclosure of PHI and ePHI.
  • Security incident reporting and password management.

Practical Impact: Cloud Providers as HIPAA Business Associates

Though multi-million dollar HHS settlements involving HIPAA compliance have become surprisingly routine, this one caught our eye because of what it suggests regarding HHS’s position on cloud vendors as HIPAA business associates. In the past, it could be argued that at least some cloud providers fell within a “conduit exception” to the BAA requirement that HHS had recognized regarding entities that merely transported information but generally did not access it (see Practice Note, Cloud Computing and HIPAA Privacy and Security: Conduit Exception to Business Associate Status). More recently, however, HHS has taken the view that an entity that maintains PHI on a covered entity’s behalf is a business associate and not a conduit – even if the entity does not view the PHI.

In this settlement agreement, the cloud provider was involved in storing the university’s ePHI and HHS assumes, without analysis of the question, that the cloud provider is a HIPAA business associate with whom the university, as a covered entity, should have executed a BAA. As a result, HIPAA covered entities that use the storage services of cloud providers in a relationship that is not governed by a HIPAA BAA may wish to consider formalizing that relationship with a BAA.

This settlement also could reflect an ongoing “raising of the bar” by HHS where HIPAA compliance is involved. Though the university in this case had conducted regular and recurring risk analyses, its efforts were simply not thorough enough in HHS’s eyes. The take-away here is that a risk analysis without appropriate follow-through to address vulnerabilities revealed in the analysis won’t save a covered entity from an expensive settlement – particularly in the face of a high profile and heavily reported breach.

Finally, a covered entity that carries out regular HIPAA training of its workforce may be able to ward off the type of breach that results in an expensive settlement such as this one, and the more onerous training requirements (including specified content dictated by HHS) that may accompany the settlement (seeStandard Document, HIPAA Training: Presentation Materials).


Show resource details

Contact the team






Practice Notes

Standard Documents


Legal Update: archive