Medical Informatics Engineering Issued with $100,000 HIPAA Violation Penalty

The Department of Health and Human Servicesโ€™ Office for Civil Rights has announced a settlement has been reached with Indiana-based electronic medical record software and service provider Medical Informatics Engineering to resolve HIPAA violations discovered during the investigation of a 2015 data breach.

The settlement agreement requires Medical Informatics Engineering to pay a financial penalty of $100,000 and adopt a corrective action plan (CAP). The CAP requires MIE to conduct an organization-wide risk analysis to identify all risks to the confidentiality, integrity, and availability of protected health information (PHI). A risk management plan must also be developed and implemented and all identified risks must be reduced to a reasonable and acceptable level.

The breach in question occurred in May 2015 when hackers gained access to one of its servers for a period of 19 days. The hackers used a compromised username and password to gain access to the server, which contained the PHI of patients of 239 of its NoMoreClipboard clients. In total, the PHI of 3.5 million individuals was compromised.

OCR launched an investigation to determine if the breach could have been avoided and whether violations of HIPAA Rules played a part in the security breach. OCR investigators discovered a comprehensive, organization-wide risk analysis had not been conducted in violation of 45 C.F.R. ยง 164.308(a)(l)(ii)(A) of the HIPAA Security Rule. That failure contributed to the impermissible disclosure of 3.5 million patientsโ€™ PHI.

โ€œEntities entrusted with medical records must be on guard against hackers,โ€ said OCR Director Roger Severino. โ€œThe failure to identify potential risks and vulnerabilities to ePHI opens the door to breaches and violates HIPAA.โ€

The risk analysis is one of the most important requirements of the HIPAA Security Rule, yet it is one of the most common areas of non-compliance. If a risk analysis is not conducted, it is probable that risks will be allowed to persist which could result in an impermissible disclosure of PHI. Risk analysis failures were discovered during both phases of OCRโ€™s HIPAA compliance audits and it is the most common violation cited in HIPAA settlements and civil monetary penalties.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Download Free Checklist

This is the second HIPAA violation penalty to be issued by OCR in 2019. Also in May, OCR announced that a settlement had been reached with Touchstone Medical Imaging to resolve multiple violations of HIPAA Rules.

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/