In a shocking turn of events, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has made an announcement that will send shockwaves through the healthcare industry. iHealth Solutions, LLC, also known as Advantum Health, a Kentucky-based business associate providing coding, billing, and onsite IT services to healthcare providers, has settled potential violations of the HIPAA Security Rule with OCR.
This settlement revolves around a data breach that occurred when a network server containing the protected health information (PHI) of 267 individuals was left unsecured on the internet. The incident is a clear violation of the requirements set forth by HIPAA regulations regarding the protection of health information.
Behind the Scenes of the Story
The investigation began in August 2017 after OCR received a breach report indicating an unauthorized transfer of PHI from iHealth Solutions’ unsecured server.Â
The compromised data included PHI such as:
- Patient Names
- Dates of Birth
- AddressesÂ
- Diagnoses
- Treatment Information
- Medical Procedures
- Medical Histories
Additionally, OCR’s inquiry uncovered evidence suggesting iHealth Solutions may have failed to conduct a HIPAA security risk assessment to identify risks and vulnerabilities to electronically protected health information (ePHI).
As a part of the settlement agreement between iHealth and OCR, iHealth has paid $75,000 in fines. Furthermore, they have committed to implementing a corrective action plan (CAP) to address potential HIPAA Privacy and Security Rule violations. The CAP is meant to bolster its security measures surrounding ePHI. OCR will also actively monitor iHealth Solutions over the next two years to ensure compliance with HIPAA rules.
Taking Action! Correcting Mistakes and What Could Have Been Prevented
The corrective action plan outlines specific steps that iHealth Solutions must take.Â
This includes:
- Conducting an accurate and thorough analysis of their organization to identify potential risks and vulnerabilities associated with ePHI they handle.
- Developing and implementing a comprehensive risk management plan to mitigate any identified security risks and vulnerabilities.
- Establishing a process for evaluating environmental and operational changes that may impact the security of ePHI.
- Creating, maintaining, and revising written HIPAA policies and procedures as necessary.
There are definite preventative measures that could have been taken by iHealth Solutions to avoid this hefty fine.
1. Safeguarding PHI
Storing confidential information on an unsecured server creates vulnerabilities and exposes patients’ private details to potential breaches. With advanced technological solutions readily available, including encryption and secure servers.
2. Regular Audit and Risk Assessments
Conducting routine checks ensures any potential security gaps or system vulnerabilities are identified promptly. Had iHealth proactively performed these evaluations, they might have detected the exposed server before unauthorized access occurred.
3. Training Employees About Privacy & Security Practices
It is essential for all staff members who handle PHI and ePHI to understand their responsibilities concerning patient data. Ensuring comprehensive training programs can significantly reduce the likelihood of accidental disclosures or security lapses.
4. Prompt Remediation Plan
Detecting a breach early allows organizations to take immediate action to contain the damage and mitigate risks effectively. In this case, iHealth Solutions’ failure to identify the exposed server in a timely manner likely exacerbated the consequences and resulted in a substantial settlement fine.
5. Complying with HIPAA
HIPAA sets stringent guidelines for handling PHI and mandates organizations to ensure confidentiality and integrity. By not adequately adhering to HIPAA regulations, iHealth Solutions demonstrated negligence toward protecting patient information.
iHealth Solutions: Why They Should Have Become HIPAA Compliant
iHealth Solutions could have avoided this massive settlement by working with a HIPAA compliance solution like ours at Compliancy Group. At Compliancy Group, we provide comprehensive HIPAA compliance services and training programs that help healthcare organizations understand and implement the necessary safeguards to protect PHI. By working with us, iHealth could have received expert guidance on establishing and maintaining HIPAA compliance by meeting all the requirements laid out for you.
Compliancy Group offers ongoing support and monitoring to ensure continuous compliance. They provide regular audits and assessments to identify potential vulnerabilities or improvement areas for iHealth solutions. By regularly reviewing their systems and processes with the help of Compliancy Group, iHealth Solutions would have been able to proactively address any compliance issues before they escalated into fines or penalties.
Overall, working with Compliancy Group can help healthcare organizations like iHealth Solutions avoid fines by providing them with the knowledge, tools, and resources needed to achieve and maintain HIPAA compliance. It allows companies to stay up-to-date with changing regulations and industry best practices while receiving ongoing support to mitigate risks effectively.
