Another business associate is paying a big settlement to resolve a HIPAA investigation by the Office for Civil Rights (OCR), the agency that enforces HIPAA.
MedEvolve is an Arkansas-based company that provides revenue cycle management, practice management, and practice analytics software to healthcare organizations. MedEvolve is paying $350,000 to OCR and implementing corrective actions required by the settlement agreement.
OCR Investigates Large Breaches
MedEvolve reported a healthcare data breach to HHS in July, 2018 after it “discovered that an FTP containing a file with information related to certain Premier patients was inadvertently accessible to the internet.” The breach affected 230,572 individuals and exposed patient names, phone numbers, billing addresses, health insurer information, and Social Security numbers.
The Office for Civil Rights (OCR) at HHS began an investigation to evaluate the breach and found a number of potential HIPAA violations. Two key violations stood out:
- Failure to complete a Risk Analysis and
- Failure to enter a business associate agreement with a subcontractor
OCR’s press release about the settlement states:
“Ensuring that security measures are in place to protect electronic protected health information where it is stored is an integral part of cybersecurity and the protection of patient privacy,” said OCR Director Melanie Fontes Rainer. “HIPAA regulated entities must ensure that they are not leaving patient health information unsecured on network servers available to the public via the internet.”
Business Associates Must Follow HIPAA
Business associates must have HIPAA policies in place and enter business associate agreements with the covered entity customers they serve. They are also required to enter into subcontractor business associate agreements with any subcontractors they use to assist in their work for customers.
Both covered entities and business associates need to conduct a thorough HIPAA Risk Analysis and follow through with a Risk Management plan to reduce the risks uncovered in the analysis. It appears that MedEvolve failed in both responsibilities.
Corrective Action Plan
The settlement imposes two years of monitoring by OCR to ensure compliance with the HIPAA Privacy and Security Rules. According to OCR, MedEvolve will take the following steps:
- Conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic patient/system data across the organization;
- Develop and implement a risk management plan to address and mitigate identified security risks and vulnerabilities identified in the risk analysis;
- Develop, maintain, and revise, as necessary, its written policies and procedures to comply with the HIPAA Privacy and Security Rules;
- Augment its existing HIPAA and Security Training Program for all MedEvolve workforce members who have access to protected health information; and
- Report to HHS within sixty (60) days when workforce members fail to comply with MedEvolve’s written policies and procedures to comply with the HIPAA Privacy and Security Rules.
Avoid Expensive Investigations with The HIPAA E-Tool®
MedEvolve could have prevented the breach and the investigation if it had paid closer attention to its HIPAA responsibilities.
Complying with HIPAA is not expensive or difficult. The HIPAA E-Tool® offers a program specifically for business associates, containing all the policies, forms, procedures and guidance needed to make sure you have what’s required.
Get your HIPAA house in order and avoid a long painful investigation and the dollar payment required to settle it.