Healthcare Clearinghouse Pays $250K To Settle Alleged HIPAA Violations
Inmediata Health Group has agreed to pay $250,000 to settle alleged violations of the HIPAA Rules. The settlement with the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is in addition to the $1.4 million paid to resolve HIPAA violations identified in a multi-state investigation and a $1.125 million settlement to resolve a class action lawsuit over its 1.6 million-record data breach.
Inmediata Health Group, a Puerto Rico-based healthcare clearinghouse, was found to have exposed electronic protected health information (ePHI) over the Internet. A complaint was filed with OCR in 2018 that alleged sensitive patient data was accessible via the Internet. OCR investigated and confirmed that from May 2016 through January 2019, ePHI was accessible over the Internet with no need for authentication. Patient data held by Inmediata had been indexed and cached by search engines. The ePHI of 1,565,338 individuals had been impermissibly disclosed due to a misconfiguration.
OCR determined that the impermissible disclosure of ePHI potentially violated the HIPAA Privacy Rule, and its investigation also uncovered potential HIPAA Security Rule failures including the failure to conduct a comprehensive and accurate risk analysis to identify risks and vulnerabilities to ePHI, and the failure to monitor and review activity in information systems containing ePHI. OCR settled the alleged violations for $250,000.
When a civil monetary penalty is imposed on a HIPAA-regulated entity, OCR cannot compel the entity to adopt a corrective action plan (CAP) to address the areas of noncompliance identified during the investigation. When potential HIPAA violations are settled, the settlement agreement almost always includes a CAP, but in this case, OCR determined that a CAP was not necessary as Inmediata had already committed to making security improvements in an earlier settlement.
Inmediata Health Group was investigated by a coalition of Attorneys General from 33 states, resulting in a $1.4 million settlement agreement in 2023. The settlement included a CAP that required improvements to be made to Inmediataโs information security program and updates to its data security practices. OCR determined that the CAP agreed in the multi-state settlement covered all aspects of noncompliance identified by OCRโs investigators.
The data breach demonstrates that HIPAA-regulated entities not only risk enforcement actions by OCR but also by state attorneys general over the same HIPAA violations. The settlement with OCR may have been relatively small, but Inmediata has paid more than $2.7 million in fines and settlements as well as incurring significant costs investigating and remediating the breach and notifying almost 1.6 million individuals.