The HHS’ Office for Civil Rights has agreed to settle a HIPAA case with the business associate iHealth Solutions for $75,000. The financial penalty resolves a risk analysis failure and impermissible disclosure of ePHI. In addition to the penalty, a corrective plan has been adopted to ensure compliance with the HIPAA Rules and OCR will monitor the business associate for 2 years to ensure full compliance with the HIPAA Rules.
iHealth Solutions is a Louisville, KY-based vendor that provides management services to healthcare practices as Advantum Health. On May 2, 2017, iHealth Solutions discovered a server had been accessed by an unauthorized individual who exfiltrated files. The server had been misconfigured and could be accessed without authentication. The breach was reported to OCR on August 22, 2017.
OCR investigates all breaches of 500 or more records, but investigations are also conducted of some smaller breaches to determine if the HIPAA Rules have been violated. Interestingly, the last three OCR enforcement actions to result in financial penalties have all been for breaches of fewer than 500 records. The iHealth Solutions data breach affected 267 individuals, a 419-record breach at Yakima Valley Memorial Hospital was resolved with a $240,000 penalty, and an impermissible disclosure of the PHI of 4 individuals by Manasa Health Center, LLC, resulted in a $30,000 penalty.
OCR determined that iHealth Solutions had not complied with 45 C.F.R. §164.502(a) – The requirement of the HIPAA Security Rule to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI, which is one of the most common HIPAA violations uncovered by OCR in its HIPAA compliance audits and investigations.
The corrective action plan requires iHealth Solutions to conduct a comprehensive and accurate risk analysis, address all risks identified in the risk analysis, develop, implement, and maintain policies and procedures regarding HIPAA Privacy and Security Rule compliance, and implement a process to evaluate environmental and operational changes that affect the security of electronic protected health information.
“HIPAA business associates must protect the privacy and security of the health information they are entrusted with by HIPAA-covered entities,” said OCR Director Melanie Fontes Rainer. “Effective cybersecurity includes ensuring that electronic protected health information is secure, and not accessible to just anyone with an internet connection.”