May 30, 2019.The Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) has resolved through settlements with two healthcare firms concerning breaches of protected health information (PHI).
On May 6, 2019, OCR announced in a press release that Touchstone Medical Imaging in Tennessee agreed to pay $3 million and implement a corrective action plan to settle violations of HIPAA Security and Breach Notification Rules. Touchstone failed to secure PHI of more than 300,000 patients on one of its servers and failed to timely provide required notification of the breach to affected individuals. As part of its investigation, OCR also determined that Touchstone failed to conduct “an accurate and thorough risk analysis of potential risks and vulnerabilities to confidentiality, integrity, and availability of all of its electronic PHI, and failed to have business associate agreements in place with its vendors… as required by HIPAA.” The resolution agreement requires Touchstone to “undertake a robust corrective action plan that includes the adoption of business associate agreements, completion of an enterprise-wide risk analysis, and comprehensive policies and procedures to comply with the HIPAA Rules.”
On May 23, 2019, OCR announced in a press release that Medical Informatics Engineering (MIE), a business associate providing software and electronic medical services to healthcare providers, paid OCR $100,000 to settle HIPAA potential Privacy and Security Rule violations. On July 23, 2005, this business associate reported to OCR a breach it discovered, namely, “hackers used a compromised user ID and password to access electronic PHI of approximately 3.5 million people. OCR’s investigation revealed that MIE did not conduct a comprehensive risk analysis prior to the breach.” OCR Director Roger Severino stated: “’The failure to identify potential risks and vulnerabilities to ePHI opens the door to breaches and violates HIPAA.’” The corrective action plan accompanying the resolution agreement requires, amongst other obligations, for MIE to do the following with regard to conducting a risk analysis:
“MIE shall conduct an accurate and thorough assessment of the potential security risks and vulnerabilities to the confidentiality, integrity, and availability of MIE’s electronic protected health information (“ePHI”) (“Risk Analysis”). The Risk Analysis shall evaluate the risks to the ePHI on its electronic equipment, data systems, and applications controlled, administered or owned by the MIE, that create, receive, transmit, or maintain ePHI. Prior to conducting the Risk Analysis, MIE shall develop a complete inventory of all of its facilities, categories of electronic equipment, data systems, and applications that create, receive, transmit, or maintain ePHI, which will then be incorporated into its Risk Analysis.
“MIE shall provide the Risk Analysis… to HHS within thirty (30) days of the Effective Date [of the Resolution Agreement] for HHS’ review.
“MIE shall review the Risk Analysis annually. MIE shall also promptly update the Risk Analysis in response to environmental or operational changes affecting the security of ePHI. Following an update to the Risk Analysis, MIE shall assess whether its existing security measures are sufficient to protect its ePHI, and revise its Risk Management Plan, policies and procedures, and training materials, as needed.”
On May 28, 2019, a judge of the U.S. District Court for the Northern District of Indiana (South Bend Division) signed a $900,000 consent judgment negotiated by 16 state attorneys general and MIE in the first-ever multistate lawsuit involving a HIPAA breach, which OCR announced as described above. In its online information entitled State Attorneys General: OCR states that the HITECH Act of 2009 “gave State Attorneys General the authority to bring civil actions on behalf of state residents for violations of the HIPAA Privacy and Security Rules. The HITECH Act permits State Attorneys General to obtain damages on behalf of state residents or to enjoin further violations of the HIPAA Privacy and Security Rules.”