The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has just levied a $3,000,000 HIPAA fine against Touchstone Medical Imaging. The HIPAA fine comes after a breach of the HIPAA Security Rule and HIPAA Breach Notification Rule that affected more than 300,000 patients.
Touchstone is a diagnostic medical imaging company based in Franklin, Tennessee, providing services in Texas, Colorado, Nebraska, Florida, and Arkansas. In May of 2014, Touchstone received notice from the FBI and OCR of a breach of unsecured protected information (PHI). PHI is any demographic information that can be used to identify a patient. Common examples include a patient’s name, date of birth, Social Security number, medical records, and financial information.
The FBI and OCR notified Touchstone that one of the company’s servers had been breached and was allowing access to patients’ PHI via search engines. This information was granted uncontrolled access, even after Touchstone took the server offline.
After first being made aware of the breach, Touchstone claimed that no PHI was exposed. OCR investigators, however, uncovered evidence to the contrary. Touchstone later admitted that the breach had included the PHI of over 300,000 patients. This included sensitive information such as names, dates of birth, Social Security numbers, and home addresses.
OCR investigators also discovered that Touchstone failed to thoroughly investigate the massive data breach until months after first receiving notice from the FBI and OCR. As a result, patients were not notified of their involvement in the breach as mandated by the HIPAA Breach Notification Rule. The Breach Notification Rule states that patients involved in a meaningful breach (affecting more than 500 individuals in a single jurisdiction) must be notified no later than 60 days from the discovery of the breach. By not notifying patients in a timely manner, Touchstone violated this crucial HIPAA Rule.
Over the course of its investigation, OCR also determined that Touchstone did not conduct a risk analysis to identify potential risks for data breaches. Additionally, the company did not have business associate agreements in place with vendors. Business associate agreements must be executed prior to any PHI being shared, as per HIPAA regulation. That means that vendors, such as Touchstone’s IT support and third-party data center were illegally receiving access to patients’ PHI.
Roger Severino, Director of OCR, commented on the Touchstone HIPAA fine, stating: “Covered entities must respond to suspected and known security incidents with the seriousness they are due, especially after being notified by two law enforcement agencies of a problem. Neglecting to have a comprehensive, enterprise-wide risk analysis, as illustrated by this case, is a recipe for failure.”
This HIPAA fine demonstrates the importance of performing a HIPAA risk analysis throughout the full extent of your organization. When a breach is discovered, it is imperative for organizations to be proactive in their response. HIPAA regulation sets specific standards for how and when breaches must be responded to, in addition to notification requirements for affected individuals.
Compliancy Group’s Audit Response Program helps clients effectively deal with OCR HIPAA audits. By working with our team of expert Compliance Coaches, clients will have all the reports and tools they need to demonstrate their HIPAA compliance, as well as perform internal investigations into any breaches that have occurred.