Medical Informatics Engineering, Inc. (MIE) is an Indiana-based company that develops and offers solutions enabling the exchange of electronic protected health information (ePHI). In May of 2019, the company paid the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) $100,000 to settle potential HIPAA Privacy Rule and Security Rule violations.
The events causing the violations are now commonplace, MIE had discovered suspicious activity on one of its servers. Hackers had used a compromised user ID and password to access the ePHI – names, Social Security numbers, health insurance information, and clinical information – of approximately 3.5 million individuals. Upon discovering the breach, MIE filed a breach report with OCR, as required under the HIPAA Breach Notification Rule.
After its investigation of the incident, OCR found that MIE had not conducted a security risk analysis, and had not developed or implemented a risk management plan. Performing a security risk analysis and having a risk management plan are both required under the HIPAA Security Rule.
As part of its resolution agreement with OCR, MIE agreed to take corrective action, including conducting a risk analysis, developing and implementing a risk analysis plan, and reporting all violations of written policies and procedures to HHS.
Later that month, MIE entered into another settlement, stemming from the exact same data breach. This $900,000 settlement, entered into with the attorneys general of 16 states, concluded a multistate data breach litigation that asserted violations not only of HIPAA, but of the states’ data protection, consumer protection, and consumer privacy laws.
To settle the multistate data breach, MIE agreed to take the following measures:
- Implement and maintain an information security program with appropriate administrative, technical, and physical safeguards;
- Ensure that no generic, non-administrator account on its information system has administrative privileges;
- Require multi-factor authentication to access the portal that allows access to electronic health records;
- Annually train employees regarding their information privacy and security policies; and
- Annually engage an independent third-party professional to conduct a current, thorough risk analysis.
The combined settlements – the OCR settlement and the multistate data breach settlement – cost MIE one million dollars, added to which are the costs of the numerous (and expensive) remedial actions MIE must now take, as required under the multistate data breach and OCR settlements. All of this could have been avoided had MIE had an effective HIPAA compliance program – one that met the requirements of the HIPAA Privacy and Security Rules.
The HIPAA Privacy and Security Rules – the two rules created as part of the initial law – form the backbone of HIPAA compliance. Healthcare organizations that do not comply with privacy and security standards run the risk of large fines and time-consuming remediation efforts. Compliancy Group gives healthcare providers and vendors working in healthcare the tools to address all aspects of the privacy and security rules – in a simplified manner. Our cloud-based HIPAA compliance software, the Guard™, gives healthcare professionals everything they need to demonstrate their “good faith effort” towards HIPAA compliance.
Find out more about how Compliancy Group helps you simplify compliance and cybersecurity today!