In December of 2024, the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) announced a $250,000 settlement with Puerto Rico-based healthcare clearinghouse Inmediata Health Group, LLC (Inmediata), over the latter’s potential HIPAA Privacy and Security Rule violations. Details of the settlement over potential HIPAA violations are provided below.
Potential HIPAA Violations: Engines of Change
Inmediata Health Group, LLC is a healthcare clearinghouse that provides medical data processing and clearinghouse services to an array of entities in Puerto Rico: physicians, dentists, hospitals, labs, medical schools, and payers. In November of 2018, a Complainant filed a complaint with OCR, alleging that electronic protected health information (ePHI) of patients belonging to Imediata was left unsecured on the Internet – available online (through search engines like Google) to unauthorized individuals.
OCR investigated the claim and found that from May of 2016 to January of 2019, the ePHI of roughly 1.5 million individuals was made publicly available online and cached by search engines. Inmediata provided the required breach notification to the affected individuals. Inmediata also informed OCR that the breached ePHI included patient names, dates of birth, home addresses, Social Security numbers, claims information, diagnosis/conditions and other treatment information.
OCR concluded that these impermissible PHI disclosures were potential HIPAA Privacy Rule violations. OCR’s investigation also identified multiple potential HIPAA Security Rule violations, including:
1. Failures by Inmediata to conduct a compliant risk analysis to determine the potential risks and vulnerabilities to ePHI in its systems; and
2. Failure by Inmediata to monitor and review its health information systems’ activity.
Potential HIPAA Violations: Capping the CAP
Under the terms of the settlement entered into in August of 2024, Inmediata paid OCR $250,000. Under the settlement, Inmediata is also required to submit to a corrective action plan….Wait – actually it isn’t. Typically, an OCR monetary resolution agreement also provides for CAP, but not this time. OCR did not impose a CAP – but it did not do so out of a sense of holiday generosity. Rather, OCR determined that a CAP was not necessary as Inmediata had already agreed to a settlement – in a litigation with 33 states that includes, as a remedy, its own CAP.
Potential HIPAA Violations: Only Connect
In a press release announcing the settlement, “Health care entities must ensure that they are not leaving patient health information accessible online to anyone with an internet connection,” said OCR Director Melanie Fontes Rainer. “Effective cybersecurity means being proactive and vigilant in searching for risks and vulnerabilities to health data and preventing unauthorized access to patient health information.”
In the press release, OCR also recommends that health care providers, health plans, clearinghouses, and business associates that are covered by HIPAA take the following steps to protect ePHI and avoid HIPAA violations:
- Review all vendor and contractor relationships to ensure business associate agreements are in place as appropriate and address breach/security incident obligations.
- Integrate risk analysis and risk management into business processes; conducted regularly and when new technologies and business operations are planned.
- Ensure audit controls are in place to record and examine information system activity.
- Implement regular review of information system activity.
- Utilize multi-factor authentication to ensure only authorized users are accessing ePHI.
- Encrypt ePHI to guard against unauthorized access to ePHI.
- Incorporate lessons learned from incidents into the overall security management process.
- Provide training specific to organization and job responsibilities on a regular basis; that reinforces workforce members’ critical role in protecting privacy and security.
