Indiana Medical Records Service Pays $100,000 to Settle HIPAA Breach

23rd May 2019

Medical Informatics Engineering, Inc. (MIE) has paid $100,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services, and has agreed take corrective action to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. MIE is an Indiana company that provides software and electronic medical record services to healthcare providers.


On July 23, 2015, MIE filed a breach report with OCR following the discovery that hackers used a compromised user ID and password to access the electronic protected health information (ePHI) of approximately 3.5 million people. OCR’s investigation revealed that MIE did not conduct a comprehensive risk analysis prior to the breach. The HIPAA Rules require entities to perform an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of an entity’s electronic protected health information.

“Entities entrusted with medical records must be on guard against hackers,” said OCR Director Roger Severino. “The failure to identify potential risks and vulnerabilities to ePHI opens the door to breaches and violates HIPAA.”

In addition to the $100,000 settlement, MIE will undertake a corrective action plan to comply with the HIPAA Rules that includes a complete, enterprise-wide risk analysis.

The resolution agreement and corrective action plan may be found at

New HHS Fact Sheet on Direct Liability of Business Associates under HIPAA

24th May 2019

The HHS Office for Civil Rights (OCR) has issued a new fact sheet that provides a clear compilation of all provisions through which a business associate can be held directly liable for compliance with certain requirements of the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules (“HIPAA Rules”), in accordance with the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009.  In 2013, under the authority granted by the HITECH Act, OCR issued a final rule that, among other things, identified provisions of the HIPAA Rules that apply directly to business associates and for which business associates are directly liable. 

OCR has the authority to take enforcement action against business associates only for those requirements and prohibitions of the HIPAA Rules that appear on the following list. 

  1. Failure to provide the Secretary with records and compliance reports; cooperate with complaint investigations and compliance reviews; and permit access by the Secretary to information, including protected health information (PHI), pertinent to determining compliance.
  2. Taking any retaliatory action against any individual or another person for filing a HIPAA complaint, participating in an investigation or other enforcement processes, or opposing an act or practice that is unlawful under the HIPAA Rules.
  3. Failure to comply with the requirements of the Security Rule.
  4. Failure to provide breach notification to a covered entity or another business associate.
  5. Impermissible uses and disclosures of PHI.
  6. Failure to disclose a copy of electronic PHI to either the covered entity, the individual, or the individual’s designee (whichever is specified in the business associate agreement) to satisfy a covered entity’s obligations regarding the form and format, and the time and manner of access under 45 C.F.R. §§ 164.524(c)(2)(ii) and 3(ii), respectively.
  7. Failure to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.
  8. Failure, in certain circumstances, to provide an accounting of disclosures.
  9. Failure to enter into business associate agreements with subcontractors that create or receive PHI on their behalf, and failure to comply with the implementation specifications for such agreements.
  10. Failure to take reasonable steps to address a material breach or violation of the subcontractor’s business associate agreement.

“As part of the Department’s effort to fully protect patients’ health information and their rights under HIPAA, OCR has issued this important new fact sheet clearly explaining a business associate’s liability,” said OCR Director Roger Severino.  “We want to make it as easy as possible for regulated entities to understand, and comply with, their obligations under the law.”

The new fact sheet may be found at along with OCR’s guidance on business associates.

Tennessee diagnostic medical imaging services company pays $3,000,000 to settle breach exposing over 300,000 patients’ protected health information

May 6, 2019

This image has an empty alt attribute; its file name is image.png

Touchstone Medical Imaging (“Touchstone”) has agreed to pay $3,000,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS), and to adopt a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security and Breach Notification Rules. Touchstone, based in Franklin, Tennessee, provides diagnostic medical imaging services in Nebraska, Texas, Colorado, Florida, and Arkansas.

In May 2014, Touchstone was notified by the Federal Bureau of Investigation (FBI) and OCR that one of its FTP servers allowed uncontrolled access to protected health information (PHI).  This uncontrolled access permitted search engines to index the PHI of Touchstone’s patients, which remained visible on the Internet even after the server was taken offline. 

Touchstone initially claimed that no patient PHI was exposed.  However, during OCR’s investigation, Touchstone subsequently admitted that the PHI of more than 300,000 patients was exposed including, names, birth dates, social security numbers, and addresses.  OCR’s investigation found that Touchstone did not thoroughly investigate the security incident until several months after notice of the breach from both the FBI and OCR.  Consequently, Touchstone’s notification to individuals affected by the breach was also untimely.  OCR’s investigation further found that Touchstone failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of its electronic PHI (ePHI), and failed to have business associate agreements in place with its vendors, including their IT support vendor and a third-party data center provider as required by HIPAA.

In addition to the monetary settlement, Touchstone will undertake a robust corrective action plan that includes the adoption of business associate agreements, completion of an enterprise-wide risk analysis, and comprehensive policies and procedures to comply with the HIPAA Rules. 

The resolution agreement and corrective action plan may be found at

10 Myths and Facts about HIPAA and Meaningful Security Risk Analysis

Conducting  a security risk analysis to meet the standards of Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule is included in the meaningful use requirements of the Medicare and Medicaid EHR Incentive Programs. The following areas addresses some of the common myths about conducting a risk analysis, and provides facts and tips that can help you structure your risk analysis process.


Myth 1: The security risk analysis is optional for small providers

Fact: False. All providers who are “covered entities” under HIPAA are required to perform a risk analysis. In addition, all providers who want to receive EHR incentive payments must conduct a risk analysis.

Myth 2:  Simply installing a certified EHR fulfills the security risk analysis MU requirement


False. Even with a certified EHR, you must perform a full security risk analysis. Security requirements address all electronic protected health information you maintain, not just what is in your EHR.

Myth 3: My EHR vendor took care of everything I need to do about privacy and security

Fact:  False. Your EHR vendor may be able to provide information, assistance, and training on the privacy and security aspects of the EHR product. However, EHR vendors are not responsible for making their products compliant with HIPAA Privacy and Security Rules. It is solely your responsibility to have a complete risk analysis conducted.

Myth 4:  I have to outsource the security risk analysis

Fact: False. It is possible for small practices to do risk analysis themselves using self-help tools. However, doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional.

Myth 5:  A checklist will suffice for the risk analysis requirement

Fact: False. Checklists can be useful tools, especially when starting a risk analysis, but they fall short of performing a systematic security risk analysis or documenting that one has been performed.

Myth 6:  There is a specific risk analysis method that I must follow

Fact:  False. A risk analysis can be performed in countless ways. OCR has issued Guidance on Risk Analysis Requirements of the Security Rule. This guidance assists organizations in identifying and implementing the most effective and appropriate safeguards to secure e-PHI.

Myth 7:  My security risk analysis only needs to look at my EHR

Fact:  False. Review all electronic devices that store, capture, or modify electronic protected health information. Include your EHR hardware and software and devices that can access your EHR data (e.g., your tablet computer, your practice manager’s mobile phone). Remember that copiers also store data.  Please see U.S. Department of Health and Human Services (HHS) guidance on remote use.

Myth 8:  I only need to do a risk analysis once

Fact:  False. To comply with HIPAA, you must continue to review, correct or modify, and update security protections.

Myth 9:  Before I attest for an EHR incentive program, I must fully mitigate all risks

Fact: False. The EHR incentive program requires correcting any deficiencies (identified during the risk analysis) according to the timeline established in the provider’s risk management process, not the date the provider chooses to submit meaningful use attestation. The timeline needs to meet the requirements under 45 CFR 164.308(a)(1), including the requirement to “Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with [45 CFR ]§164.306(a).”

Myth 10:  Each year, I’ll have to completely redo my security risk analysis

Fact:  False. Perform the full security risk analysis as you adopt an EHR. Each year or when changes to your practice or electronic systems occur, review and update the prior analysis for changes in risks. Under meaningful use, reviews are required for each EHR reporting period. For EPs, the EHR reporting period will be 90 days or a full calendar year, depending on the EP’s year of  participation in the program.

Source: CMS

Do I need to address all identified security risks?

public security cybersecurity

Before conducting meaningful security risk analysis of ePHI, it is important that practitioners clearly understand the terminologies:

Risk is the level of exposure and potential impact of threats on the confidentiality, integrity, and availability of electronic Protected Health Information (ePHI).

Threats are all factors that can have a negative impact on ePHI.

  Threats may be:

–  Intentional (e.g., malicious intent); or

–  Unintentional (e.g., misconfigured security role assignment in EHR system, data entry error).

Threat sources include:

– Natural (e.g., floods, earthquakes, storms, tornados);

–  Human (e.g., intentional, such as identity thieves, hackers, spyware authors; unintentional, such as data entry error, accidental deletions, improper disclosure); or

– Environmental (e.g., power surges and spikes, hazmat contamination pollution).

 Vulnerabilities are flaws or weaknesses in an EHR or PMS system’s security procedure, design, implementation, or control that could be intentionally or unintentionally exercised by a threat.

Impact is a negative quantitative and/or qualitative assessment of a vulnerability being exercised on the confidentiality, integrity, and availability of ePHI.

Covering how to identify security risks during your meaningful use security risk assessment process is beyond the scope of this article. Rather, our focus will be on strategizing how to address the identified risks. As demonstrated by recent announcements from major retailers and healthcare providers on data breaches, identifying security risks in the technology systems is only half the battle. Strategically addressing the risks identified in the risk analysis is the key to maintain the upper hand. The majority of risk identification will be focused on analyzing your different systems, including your EHR programs, network, wireless infrastructure, desktops/laptops, mobile devices, and other portable devices including USB thumb drive, backup tapes, etc.

In terms of addressing all identified risks, it’s effectively impossible to address all of them, as security experts generally agree that security threats are constantly evolving. For instance, by the time you have reasonably secured all desktops and laptops, your ePHI  also may be on mobile devices and/or with cloud service providers. It’s said in the industry that you cannot run a business with zero risk, and this notion very much applies to the information security risk area.

Prioritization of risk should take into account all information gathered and determinations made by analyzing the likelihood of threat occurrence and its resulting impact. The risk-level determination may be performed by assigning a risk-level based on the average of the assigned likelihood and impact levels. A risk-level matrix, such as the sample depicted below, can be used to assist in determining risk levels.

It’s possible for most organizations to address the risks using one or more of the following options:

  • By accepting the risks
  • By mitigating the risks
  • By transferring the risks

It should be noted that not all possible recommended security controls can always be implemented to reduce risks identified. To determine which are most required and appropriate, a cost-benefit analysis needs to be conducted for the recommended controls to demonstrate that the costs of implementing the controls will be justified by the reduction in the level of risk. In addition to cost, organizations should consider the operational impact and feasibility of introducing the recommended security controls into the operating environment.

Your overall objective for addressing any risks needs to be minimizing the probability and consequences of adverse events to your organization, along with managing the risks within acceptable levels

Download Free FAQ on MU EHR Incentive Audit

Listen to our on-demand webinar on security risk analysis: