Due to a July 2018 incident, the Office for Civil Rights (OCR) investigated MedEvolve to determine if the business associate was HIPAA compliant. The result? A $350,000 HIPAA fine for potentially violating several provisions of the HIPAA Privacy and Security Rules.
*Correction: An earlier version of this article incorrectly stated that the MedEvolve incident was the result of hacking. The breach was caused by human error.
MedEvolve Network Server Breach
MedEvolve, Inc. is a practice and revenue cycle management, and practice analytics software that provides services to covered entities. In July 2018, MedEvolve submitted a breach report to OCR indicating that they experienced a network server incident that affected 230,572 patients.
The report noted that the breach left protected health information (PHI) unsecure and accessible online. According to statements by MedEvolve, “The incident did not involve or have any impact on our technology solutions. The incident was a result of a data file that was inadvertently placed on a file transfer (FTP) server that was separate from our client hosting environment. The server was immediately secured upon discovery of the file, and no malicious use of patient information has ever been detected.”
In the press release issued by the HHS, OCR Director Melanie Fontes Rainer stated, “Ensuring that security measures are in place to protect electronic protected health information where it is stored is an integral part of cybersecurity and the protection of patient privacy. HIPAA regulated entities must ensure that they are not leaving patient health information unsecured on network servers available to the public via the internet.”
MedEvolve HIPAA Fine and Mandated Corrective Actions
The July incident triggered an OCR investigation, as all breaches affecting 500 or more patients do. The investigation uncovered widespread noncompliance, including failure to conduct a security risk assessment (SRA) and to enter into a business associate agreement (BAA) with a subcontractor.
MedEvolve agreed to pay a $350,000 HIPAA fine to settle potential HIPAA violations, implement a corrective action plan (CAP), and is subject to two years of OCR monitoring.
The terms of their CAP require MedEvolve to:
- Conduct an accurate and thorough security risk assessment
- Develop and implement a risk management plan
- Develop, maintain, and revise written HIPAA policies and procedures
- Augment its existing HIPAA and Security Training Program
- Report to HHS within sixty (60) days when workforce members fail to comply with MedEvolve’s written policies and procedures
Prevent Fines with HIPAA Compliance
The best way to protect your organization from HIPAA fines is with compliance. HIPAA compliant organizations understand their obligations to the law, including how to secure patient information.
Compliancy Group offers automated HIPAA compliance software that allows organizations to meet HIPAA standards, document compliance, and maintain their efforts. Clients receive a complete HIPAA solution that includes policies and procedures, employee training, business associate agreements, and more.
The best part? Everything HIPAA requires is available from the compliance dashboard, and our Compliance Success Team guides you through it. Schedule a demo today!