HIPAA Breach – Indiana Medical Records Service Pays $100,000 to Settle

Medical Informatics Engineering, Inc has paid $100,000 to HHS and has agreed take corrective action against the HIPAA breach.

HIPAA breach
HIPAA breach

May 23, 2019 Medical Informatics Engineering, Inc. (MIE) has paid $100,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services, and has agreed take corrective action to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. MIE is an Indiana company that provides software and electronic medical record services to healthcare providers.

On July 23, 2015, MIE filed a HIPAA breach report with OCR following discovery that hackers used a compromised user ID and password to access the electronic protected health information (ePHI) of approximately 3.5 million people. OCR’s investigation revealed that MIE did not conduct a comprehensive risk analysis prior to the breach. The HIPAA Rules require entities to perform an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of an entity’s electronic protected health information.

“Entities entrusted with medical records must be on guard against hackers,” said OCR Director Roger Severino. “The failure to identify potential risks and vulnerabilities to ePHI opens the door to breaches and violates HIPAA.”

In addition to the $100,000 settlement, MIE will undertake a corrective action plan to comply with the HIPAA Rules that includes a complete, enterprise-wide risk analysis.

HIPAA Complaint Process Infographic Released by HHS

The Centers for Medicare & Medicaid Services (CMS) has released a new infographic on how alleged violations of the HIPAA Administrative Simplification requirements are processed.

Find out what happens when a complaint is filed:

If you have a complaint about a potential HIPAA Administrative Simplification violation, you can submit it to the CMS complaint enforcement process. Look for more information about CMS compliance and enforcement coming soon.

https://asett.cms.gov/ASETT_HomePage

 

EHR 2.0 rebrands as databrackets, Expands its security & compliance offerings

 

EHR 2.0, the company that was founded in 2011 to serve the signature healthcare law incentive programs, security requirements and HIPAA/HITECH compliance requirements, today announced a corporate name change to databrackets. As part of the rebranding effort, we are unveiling a new line of service offerings and software platform capabilities, a new website and introducing a new logo to showcase the company’s fresh look.  

“As part of the rebranding efforts the tone for our company is to evolve and serve the growing security, privacy audit and compliance requirements,” Mr. Kolathur said. We are expanding our service offerings not only to our consulting customers but also to our DIY (Do It Yourself) toolkit customers and partners. With our strong security and compliance team of expertise, we strive to fulfill the needs all of our customers to the fullest extent.

Under our former brand EHR 2.0, we primarily served the healthcare industry clients with HIPAA/OSHA compliance and MIPS requirements. Based on our customers’ needs, we have added GDPR compliance, NIST framework compliance, Cybersecurity compliance, (including CCPA and NY Cybersecurity) CFR Part 11, SOC 2 audits, cloud compliance and other fields that are on high demand. With these expanded service offerings, we see our company shift from the healthcare domain to industry agnostic solutions with general data security, compliance, and auditing as our key differentiators. We believe rebranding to a strong and unique company name reflects the full depth and breadth of our current expertise, as well as our vision for the future.

The rebranding and expanded service offerings has positioned us to reach the European, Asian, and the Middle Eastern markets and we are excited about our expansion.

“Data is the key in this digital world. Our expanded services focus on securing them and ensuring that the organizations’ data meets the compliance and certification requirements. The response from our consulting clients and DIY portal customers is very encouraging and positive” says Punitha Srini, Business Development Director.

Our DIY portal and training in all our service area offerings receive overwhelming positive feedback and serves the customers with the necessary budget and resources needed to quickly meet the compliance requirements. Visit out our website to learn more.

Phone: (866)-276-8309
E-mail:info@databrackets.com

Indiana Medical Records Service Pays $100,000 to Settle HIPAA Breach

23rd May 2019

Medical Informatics Engineering, Inc. (MIE) has paid $100,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services, and has agreed take corrective action to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. MIE is an Indiana company that provides software and electronic medical record services to healthcare providers.

 

On July 23, 2015, MIE filed a breach report with OCR following the discovery that hackers used a compromised user ID and password to access the electronic protected health information (ePHI) of approximately 3.5 million people. OCR’s investigation revealed that MIE did not conduct a comprehensive risk analysis prior to the breach. The HIPAA Rules require entities to perform an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of an entity’s electronic protected health information.

“Entities entrusted with medical records must be on guard against hackers,” said OCR Director Roger Severino. “The failure to identify potential risks and vulnerabilities to ePHI opens the door to breaches and violates HIPAA.”

In addition to the $100,000 settlement, MIE will undertake a corrective action plan to comply with the HIPAA Rules that includes a complete, enterprise-wide risk analysis.

The resolution agreement and corrective action plan may be found at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/mie/index.html.

New HHS Fact Sheet on Direct Liability of Business Associates under HIPAA

24th May 2019

The HHS Office for Civil Rights (OCR) has issued a new fact sheet that provides a clear compilation of all provisions through which a business associate can be held directly liable for compliance with certain requirements of the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules (“HIPAA Rules”), in accordance with the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009.  In 2013, under the authority granted by the HITECH Act, OCR issued a final rule that, among other things, identified provisions of the HIPAA Rules that apply directly to business associates and for which business associates are directly liable. 

OCR has the authority to take enforcement action against business associates only for those requirements and prohibitions of the HIPAA Rules that appear on the following list. 

  1. Failure to provide the Secretary with records and compliance reports; cooperate with complaint investigations and compliance reviews; and permit access by the Secretary to information, including protected health information (PHI), pertinent to determining compliance.
  2. Taking any retaliatory action against any individual or another person for filing a HIPAA complaint, participating in an investigation or other enforcement processes, or opposing an act or practice that is unlawful under the HIPAA Rules.
  3. Failure to comply with the requirements of the Security Rule.
  4. Failure to provide breach notification to a covered entity or another business associate.
  5. Impermissible uses and disclosures of PHI.
  6. Failure to disclose a copy of electronic PHI to either the covered entity, the individual, or the individual’s designee (whichever is specified in the business associate agreement) to satisfy a covered entity’s obligations regarding the form and format, and the time and manner of access under 45 C.F.R. §§ 164.524(c)(2)(ii) and 3(ii), respectively.
  7. Failure to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.
  8. Failure, in certain circumstances, to provide an accounting of disclosures.
  9. Failure to enter into business associate agreements with subcontractors that create or receive PHI on their behalf, and failure to comply with the implementation specifications for such agreements.
  10. Failure to take reasonable steps to address a material breach or violation of the subcontractor’s business associate agreement.

“As part of the Department’s effort to fully protect patients’ health information and their rights under HIPAA, OCR has issued this important new fact sheet clearly explaining a business associate’s liability,” said OCR Director Roger Severino.  “We want to make it as easy as possible for regulated entities to understand, and comply with, their obligations under the law.”

The new fact sheet may be found at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html along with OCR’s guidance on business associates.

Tennessee diagnostic medical imaging services company pays $3,000,000 to settle breach exposing over 300,000 patients’ protected health information

May 6, 2019

This image has an empty alt attribute; its file name is image.png


Touchstone Medical Imaging (“Touchstone”) has agreed to pay $3,000,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS), and to adopt a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security and Breach Notification Rules. Touchstone, based in Franklin, Tennessee, provides diagnostic medical imaging services in Nebraska, Texas, Colorado, Florida, and Arkansas.

In May 2014, Touchstone was notified by the Federal Bureau of Investigation (FBI) and OCR that one of its FTP servers allowed uncontrolled access to protected health information (PHI).  This uncontrolled access permitted search engines to index the PHI of Touchstone’s patients, which remained visible on the Internet even after the server was taken offline. 

Touchstone initially claimed that no patient PHI was exposed.  However, during OCR’s investigation, Touchstone subsequently admitted that the PHI of more than 300,000 patients was exposed including, names, birth dates, social security numbers, and addresses.  OCR’s investigation found that Touchstone did not thoroughly investigate the security incident until several months after notice of the breach from both the FBI and OCR.  Consequently, Touchstone’s notification to individuals affected by the breach was also untimely.  OCR’s investigation further found that Touchstone failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of its electronic PHI (ePHI), and failed to have business associate agreements in place with its vendors, including their IT support vendor and a third-party data center provider as required by HIPAA.

In addition to the monetary settlement, Touchstone will undertake a robust corrective action plan that includes the adoption of business associate agreements, completion of an enterprise-wide risk analysis, and comprehensive policies and procedures to comply with the HIPAA Rules. 

The resolution agreement and corrective action plan may be found at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/tmi/index.html.

HIPAA Compliance Review Program Launch

CMS on behalf of HHS is launching a HIPAA Compliance Review Program to ensure compliance with the administrative safegaurds by covered entities.

HIPAA Compliance

The Centers for Medicare & Medicaid Services (CMS) Division of National Standards, on behalf of the Department of Health and Human Services (HHS), is launching the HIPAA Compliance Review Program to ensure compliance among covered entities with HIPAA Administrative Simplification rules for electronic health care transactions.

In April 2019, HHS will randomly select 9 HIPAA-covered entities—a mix of health plans and clearinghouses—for HIPAA Compliance Reviews. Any health plan or clearinghouse—not just those who work with Medicare or Medicaid—may be selected. In 2018, HHS piloted the program with health plan and clearinghouse volunteers to streamline the process. In 2019, providers will be able to participate in a separate pilot program on a voluntary basis.

Moving forward, the Compliance Review Program will conduct periodic reviews with randomly selected entities to assess compliance.

Read the full Information Bulletin on the Go-to-Info page for more information, and watch for more Email Update messages with details about the program.

Interested in becoming HIPAA Compliant? We can help maintain your business posture. Check out our HIPAA Compliance service offerings Contact us at 866-276-8309 or info@ehr20.com with any questions.

CMS on behalf of HHS is launching a HIPAA Compliance Review Program to ensure compliance with the administrative safegaurds by covered entities.

Anthem Pays OCR $16 Million in Record HIPAA Settlement Following Largest U.S. Health Data Breach in History October 15, 2018

security-awareness

Anthem Pays OCR $16 Million in Record HIPAA Settlement Following Largest U.S. Health Data Breach in History

October 15, 2018

Anthem, Inc. has agreed to pay $16 million to the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) and take substantial corrective action to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules after a series of cyberattacks led to the largest U.S. health data breach in history and exposed the electronic protected health information of almost 79 million people.

The $16 million settlement eclipses the previous high of $5.55 million paid to OCR in 2016.

Anthem is an independent licensee of the Blue Cross and Blue Shield Association operating throughout the United States and is one of the nation’s largest health benefits companies, providing medical care coverage to one in eight Americans through its affiliated health plans.  This breach affected electronic protected health information (ePHI) that Anthem, Inc. maintained for its affiliated health plans and any other covered entity health plans.

On March 13, 2015, Anthem filed a breach report with the HHS Office for Civil Rights detailing that, on January 29, 2015, they discovered cyber-attackers had gained access to their IT system via an undetected continuous and targeted cyberattack for the apparent purpose of extracting data, otherwise known as an advanced persistent threat attack.  After filing their breach report, Anthem discovered cyber-attackers had infiltrated their system through spear phishing emails sent to an Anthem subsidiary after at least one employee responded to the malicious email and opened the door to further attacks. OCR’s investigation revealed that between December 2, 2014 and January 27, 2015, the cyber-attackers stole the ePHI of almost 79 million individuals, including names, social security numbers, medical identification numbers, addresses, dates of birth, email addresses, and employment information.

In addition to the impermissible disclosure of ePHI, OCR’s investigation revealed that Anthem failed to conduct an enterprise-wide risk analysis, had insufficient procedures to regularly review information system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent the cyber-attackers from accessing sensitive ePHI, beginning as early as February 18, 2014.

In addition to the $16 million settlement, Anthem will undertake a robust corrective action plan to comply with the HIPAA Rules.  The resolution agreement and corrective action plan may be found on the OCR website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/anthem/index.html.

HIPAA Fine for Lack of Timely Breach Notification

The U.S. Department of Health and Human Services, Office for Civil Rights (OCR), has announced the first Health Insurance Portability and Accountability Act (HIPAA) settlement of 2017 based on the untimely reporting of a breach of unsecured protected health information (PHI).  Presence Health has agreed to settle potential violations of the HIPAA Breach Notification Rule by paying $475,000 and implementing a corrective action plan. Presence Health is one of the largest health care networks serving Illinois and consists of approximately 150 locations, including 11 hospitals and 27 long-term care and senior living facilities. Presence Health also has multiple physicians’ offices and health care centers in its system and offers home care, hospice care, and behavioral health services. With this settlement amount, OCR balanced the need to emphasize the importance of timely breach reporting with the desire not to disincentivize breach reporting altogether.

On January 31, 2014, OCR received a breach notification report from Presence indicating that on October 22, 2013, Presence discovered that paper-based operating room schedules, which contained the PHI of 836 individuals, were missing from the Presence Surgery Center at the Presence St. Joseph Medical Center in Joliet, Illinois.  The information consisted of the affected individuals’ names, dates of birth, medical record numbers, dates of procedures, types of procedures, surgeon names, and types of anesthesia.  OCR’s investigation revealed that Presence Health failed to notify, without unreasonable delay and within 60 days of discovering the breach, each of the 836 individuals affected by the breach, prominent media outlets (as required for breaches affecting 500 or more individuals), and OCR.

“Covered entities need to have a clear policy and procedures in place to respond to the Breach Notification Rule’s timeliness requirements” said OCR Director Jocelyn Samuels. “Individuals need prompt notice of a breach of their unsecured PHI so they can take action that could help mitigate any potential harm caused by the breach.”

The Resolution Agreement and Corrective Action Plan is available for detail review below:

 

OCR’s guidance on breach notification may be found at http://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html

Learn more on how to comply with HIPAA privacy, security and breach notification rules at https://ehr20.com/services/hipaa-hitech-compliance-assurance/

HIPAA Violation Fines: Unauthorized Filming Results in $2.2 Million Settlement

New York Presbyterian Hospital has reached a settlement with the Office for Civil Rights (OCR) to pay $2.2 million HIPAA violation fine for the unauthorized disclosure of two patients Protected Health Information (PHI). The PHI was released to film crews and staff during the filming of an ABC television series called “NY MED.”  This was done without authorization from the patients. OCR discovered that North Presbyterian Hospital (NYP) allowed the ABC film crew to record someone dying, and another person who was in significant distress. This took place even after medical professionals urged the ABC film crew to stop.

 

 

“This case sends an important message that OCR will not permit covered entities to compromise their patients’ privacy by allowing news or television crews to film the patients without their authorization,” said Jocelyn Samuels, OCR’s Director.  “We take seriously all complaints filed by individuals, and will seek the necessary remedies to ensure that patients’ privacy is fully protected.”By allowing individuals who were  receiving medical attention to be filmed without their knowledge or authorization by members of ABC filming crew, NYP’S blatantly violated the HIPAA rules. Rules that are specifically made in order to stop the disclosure of an individual’s PHI.”

 

Along with the $2.2 million dollar settlement New York Presbyterian Hospital is required to:

  • Develop and revise all policies and procedures to comply with the Federal Standards that comply with privacy and security of PHI
  • A process for evaluating and approving authorizations that request the disclosure of PHI
  • Requirements that all photos, video, and audio recordings conducted are actively monitored by an appropriate employee for compliance with the Privacy Rule
  • All members of NYP’s workforce are to receive training on the policies and procedures in order to comply with the Privacy Rule

This is the sixth HIPAA violation fine in 2016 by HHS (Read the previous resolution agreements here)

What is the specific HIPAA violation?

New York Presbyterian Hospital violated the HIPAA Privacy Rule by allowing the film crew to record both video and audio content of patients with out the proper authorization. OCR also found that NYP failed to safeguard PHI by allowing the ABC film crew virtually total access to the healthcare facility, which in return created an environment where PHI could not be properly protected from unauthorized disclosure to the ABC film crew and staff.

 

HIPAA Violations and Corrective Action Plan (CAP)

New York Presbyterian Hospital has agreed to pay HHS $2,200,000 (Resolution Amount) in order to settle potential violations of the HIPAA Rules. This settlement also includes a comprehensive corrective action plan (CAP) that includes two years of monitoring in order to ensure HIPAA compliance. This action plan will include training on the policies and procedures in order to fully comply with the Privacy Rule, along with requirements that all photos, video, and audio recording conducted be actively monitored by an appropriate employee for compliance with the Privacy Rule.

 

What could have been done differently?

Before filming any individuals receiving urgent or non-urgent medical care, proper authorization needs to be in place. HIPAA Rules are specifically designed to prohibit the disclosure of individual’s PHI which includes, images, audio, and video recordings, in circumstances such as these. ABC’s film crew technically did not do anything wrong. It is New York Presbyterian Hospital’s responsibility to protect and safeguard its patient’s PHI. Simply getting permission from the patients would have been sufficient in allowing ABC to film. However a covered entity, including a health care provider, may not use or disclose PHI, except either:

(1) As the HIPAA Privacy Rule permits or requires

(2) As the individual who is the subject of the information (or the individual’s personal representative) authorizes in writing.

 

To learn more about how EHR 2.0 can help reduce HIPAA violation by setting up policies and procedures that will ensure your healthcare practice is and stays HIPAA compliant, please visit us at https://ehr20.com/services/