23rd May 2019
Medical Informatics Engineering, Inc. (MIE) has paid $100,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services, and has agreed take corrective action to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. MIE is an Indiana company that provides software and electronic medical record services to healthcare providers.
On July 23, 2015, MIE filed a breach report with OCR following the discovery that hackers used a compromised user ID and password to access the electronic protected health information (ePHI) of approximately 3.5 million people. OCR’s investigation revealed that MIE did not conduct a comprehensive risk analysis prior to the breach. The HIPAA Rules require entities to perform an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of an entity’s electronic protected health information.
“Entities entrusted with medical records must be on guard against hackers,” said OCR Director Roger Severino. “The failure to identify potential risks and vulnerabilities to ePHI opens the door to breaches and violates HIPAA.”
In addition to the $100,000 settlement, MIE will undertake a corrective action plan to comply with the HIPAA Rules that includes a complete, enterprise-wide risk analysis.
The resolution agreement and corrective action plan may be found at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/mie/index.html.
Latest posts by databrackets (see all)
- OCR Imposes a $1.6 Million Civil Money Penalty against Texas Health and Human Services Commission for HIPAA Violations - November 8, 2019
- Failure to Encrypt Mobile Devices Leads to $3 Million HIPAA Settlement - November 6, 2019
- HHS Office for Civil Rights Secures Corrective Action and Ensures Florida Orthopedic Practice Protects Patients with HIV from Discrimination - October 31, 2019