May 16, 2023 — The Office for Civil Rights (OCR) within the Department of Health and Human Services (HHS) has reached a landmark settlement in a HIPAA investigation, imposing a hefty fine of $350,000 on Arkansas-based business associate MedEvolve, Inc.
The settlement comes as a result of MedEvolve’s impermissible disclosure of electronically protected health information (ePHI) belonging to more than 230,000 individuals following a failure to secure a File Transfer Protocol (FTP) server. This significant penalty emphasizes the crucial role of protecting patient privacy and serves as a strong deterrent for similar violations in the future.
Table of Contents
May 16, 2023 — The Office for Civil Rights (OCR) within the Department of Health and Human Services (HHS) has reached a landmark settlement in a HIPAA investigation, imposing a hefty fine of $350,000 on Arkansas-based business associate MedEvolve, Inc.
The settlement comes as a result of MedEvolve’s impermissible disclosure of electronically protected health information (ePHI) belonging to more than 230,000 individuals following a failure to secure a File Transfer Protocol (FTP) server. This significant penalty emphasizes the crucial role of protecting patient privacy and serves as a strong deterrent for similar violations in the future.
OCR Investigates MedEvolve’s Potential HIPAA Violations
The investigation, initiated by OCR after MedEvolve self-reported an error configuring their FTP server in July 2018, uncovered a breach that exposed the ePHI of 230,572 individuals. Disturbingly, this sensitive information was accessible over the Internet without any authentication. The breach affected two HIPAA-regulated entities, Premier Immediate Medical Care, LLC (impacting 204,607 individuals) and Dr. Beverly Held (impacting 25,965 individuals). An HHS press release reports that the breach exposed the names, billing addresses, telephone numbers, health insurer information, doctor’s office account numbers, and, for some individuals, Social Security numbers.
How HIPAA protects health information
The Health Insurance Portability and Accountability Act of 1996, or HIPAA, secures protected health information. Its guidelines serve to safeguard patient privacy, enforce data security measures, and facilitate secure health information exchange in an increasingly digital healthcare landscape. HIPAA violations result in severe penalties, as the MedEvolve case shows.
MedEvolve’s HIPAA Violations
During the investigation, it was discovered that MedEvolve failed to comprehensively analyze potential risks and vulnerabilities to electronic patient/system data across its organization. This means they overlooked the crucial step of identifying areas where sensitive information could be compromised. By neglecting this risk analysis, MedEvolve left itself susceptible to potential security breaches, jeopardizing the confidentiality of patients’ protected health information.
Another significant violation found was that the cloud-based company failed to establish a business associate agreement with its subcontractor. Under HIPAA rules, covered entities and their business associates must have a documented contract that outlines how protected health information will be handled. By neglecting this requirement, the healthcare technology company failed to ensure that its subcontractor adhered to the necessary privacy and security standards, putting patient data at risk.
HIPAA rules for covered entities and business associates
HIPAA establishes clear guidelines and obligations for covered entities and their business associates. Covered entities, such as healthcare providers and health plans, safeguard patient information and comply with privacy and security standards. Business associates, like MedEvolve, must protect patient data and enter into agreements with covered entities to ensure compliance with HIPAA regulations.
These agreements outline permissible uses and disclosures of health information, implementation of safeguards, and breach reporting protocols. By understanding and adhering to these rules, covered entities and business associates play a crucial role in maintaining the privacy and security of patients’ sensitive data.
Monetary settlement and corrective action plan
MedEvolve opted for a resolution to settle the case without admitting liability or wrongdoing. Alongside the $350,000 financial penalty, the settlement includes a comprehensive corrective action plan that requires MedEvolve to take immediate steps to rectify the violations.
The company also agreed to pay the OCR $350,000 in HIPAA fines and enter into a corrective action plan. The OCR will monitor the company for two years to ensure compliance with HIPAA. The corrective action plan mandates the following measures:
- Conduct a thorough assessment to identify risks and vulnerabilities to electronic patient or system data throughout the organization.
- Create and implement a plan to manage and reduce the security risks and vulnerabilities identified in the assessment.
- Establish, update, and maintain written policies and procedures that adhere to the HIPAA Privacy and Security Rules.
- Enhance the existing HIPAA and Security Training Program for all MedEvolve staff who can access protected health information.
- Report to HHS within sixty (60) days if any staff members fail to follow MedEvolve’s written policies and procedures for complying with the HIPAA Privacy and Security Rules.
MedEvolve’s Resolution Agreement and Corrective Action Plan are outlined on the HHS website.
OCR urges covered entities to secure ePHI
After the OCR found evidence of MedEvolve’s HIPAA breach, Melanie Fontes Rainer, Director of OCR, stressed the importance of securing ePHI to safeguard patient privacy. In the HHS press release, she reiterated the responsibility of HIPAA-regulated entities to ensure that patient health information remains secure and inaccessible to unauthorized parties on data exchange networks over the Internet.
This settlement is a milestone in OCR’s enforcement efforts to protect patient privacy and uphold HIPAA standards. According to the HIPAA Journal, the case marks the fourth HIPAA penalty imposed by OCR this year, following settlements with David Mente, MA, LPC, and Life Hope Labs, LLC, for HIPAA Right of Access violations, as well as a substantial $1,250,000 settlement with Banner Health for multiple HIPAA Security Rule violations.
Prioritize Patient Privacy and Avoid HIPAA Penalties
The MedEvolve settlement underscores the importance of protecting health information in a landscape with ever-present cybersecurity threats. Robust risk analysis, strong business associate agreements, and unwavering adherence to HIPAA rules are essential. Implementing secure solutions like secure fax protects patient privacy, ensures the quality of care, and helps organizations comply with HIPAA regulations.
