Healthcare Clearinghouse Pays $250K To Settle Alleged HIPAA Violations

HIPAA Fine - HIPAAGuide.net

Inmediata Health Group has agreed to pay $250,000 to settle alleged violations of the HIPAA Rules. The settlement with the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is in addition to the $1.4 million paid to resolve HIPAA violations identified in a multi-state investigation and a $1.125 million settlement to resolve a class action lawsuit over its 1.6 million-record data breach.

Inmediata Health Group, a Puerto Rico-based healthcare clearinghouse, was found to have exposed electronic protected health information (ePHI) over the Internet. A complaint was filed with OCR in 2018 that alleged sensitive patient data was accessible via the Internet. OCR investigated and confirmed that from May 2016 through January 2019, ePHI was accessible over the Internet with no need for authentication. Patient data held by Inmediata had been indexed and cached by search engines. The ePHI of 1,565,338 individuals had been impermissibly disclosed due to a misconfiguration.

OCR determined that the impermissible disclosure of ePHI potentially violated the HIPAA Privacy Rule, and its investigation also uncovered potential HIPAA Security Rule failures including the failure to conduct a comprehensive and accurate risk analysis to identify risks and vulnerabilities to ePHI, and the failure to monitor and review activity in information systems containing ePHI. OCR settled the alleged violations for $250,000.

When a civil monetary penalty is imposed on a HIPAA-regulated entity, OCR cannot compel the entity to adopt a corrective action plan (CAP) to address the areas of noncompliance identified during the investigation. When potential HIPAA violations are settled, the settlement agreement almost always includes a CAP, but in this case, OCR determined that a CAP was not necessary as Inmediata had already committed to making security improvements in an earlier settlement.

Inmediata Health Group was investigated by a coalition of Attorneys General from 33 states, resulting in a $1.4 million settlement agreement in 2023. The settlement included a CAP that required improvements to be made to Inmediataโ€™s information security program and updates to its data security practices. OCR determined that the CAP agreed in the multi-state settlement covered all aspects of noncompliance identified by OCRโ€™s investigators.

The data breach demonstrates that HIPAA-regulated entities not only risk enforcement actions by OCR but also by state attorneys general over the same HIPAA violations. The settlement with OCR may have been relatively small, but Inmediata has paid more than $2.7 million in fines and settlements as well as incurring significant costs investigating and remediating the breach and notifying almost 1.6 million individuals.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Download Free Checklist

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/