The Department of Health and Human Services released a statement today regarding a Health Insurance Portability and Accountability Act violation at Idaho State University.
The university's Pocatello Family Medicine left the medical records of more than 17,000 people exposed after maintenance was performed, and firewalls were not put back into place.
However, the violation happened in August 2011.
It has taken since that time to figure out a course of action and a fine of $400,000.
Your patient information is tied to sensitive specifics in your life, including job, financial and other personal details.
"Most information in health information is stored electronically,” said Portneuf Medical Center's facility privacy officer Madonna Coorough. “Their day-to-day life, their reputations, their employment. The federal government really has stepped in to ensure there are federal protections for our health information."
But when Idaho State University found out, they took action.
"We set up a call center at ISU's expense, gave them [patients] all the proper notices and went through the proper protocol,” said Greg Ehardt, ISU's HIPAA Officer, “Just to make sure if there was a problem, that we certainly had addressed it."
The first step ISU took was making the situation was known to the federal government. Even though ISU raised the red flag in the first place about a possible breach of patient information, a possible breach is still a violation of HIPAA laws.
So when Idaho State began the corrective process, they didn't realize they had already violated HIPAA laws.
While the university maintains it does not feel an actual violation took place, it still followed the proper procedures to ensure it complied with all the steps when reporting a potential leak of patient information.
It first contacted the Office of Civil Rights, which is under the Health and Human Services Department of the United States Cabinet.
HIPAA was established in 1996. Changes were made in 2009 to address the growing concern of information stored on computers.
"Let's just say HIPAA isn't new,” said Coorough. “We've always protected our patient's information."
Ehardt says its information is protected now more than ever.
"Right now, this is an old incident that took place,” Ehardt stated. “We don't have any concerns and no one else should be concerned, other than they're now aware of it because OCR (Office of Civil Rights) made them aware of it."
Ehardt also stated that the information was highly unlikely to be accessed, even while the firewalls were down.
But why the time delay?
Both sides had to do their own investigations and due diligence.
Also, it was 10 months between the violation actually occurring and the university becoming aware.
To find out more about this violation, click here.