The Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) has reached a settlement in a HIPAA investigation involving a business associate in Arkansas. The company in question, MedEvolve, Inc. based in Little Rock, Arkansas, provides practice management, revenue cycle management, and practice analytics software to HIPAA-regulated organizations. Unfortunately, MedEvolve failed to adequately secure a file transfer protocol (FTP) server, resulting in the unauthorized disclosure of electronically protected health information (ePHI) belonging to more than 230,000 individuals. Under HIPAA regulations, MedEvolve is required to ensure that this information is protected at all times.
In July 2018, MedEvolve notified the Office for Civil Rights (OCR) of an error in its FTP server setup. After an investigation, MedEvolve discovered that the server contained the electronically protected health information (ePHI) of 230,572 individuals, which was accessible without authentication over the Internet. The breach affected two HIPAA-regulated organizations: Premier Immediate Medical Care, LLC (204,607 individuals affected) and Dr. Beverly Health (25,965 individuals affected). The information released included names, billing addresses, phone numbers, health insurer information, physician office account numbers, and, in some cases, social security numbers.
In response to this incident, OCR initiated an investigation and identified three potential HIPAA violations. These violations included the impermissible disclosure of electronic personal information of 230,572 individuals (45 C.F.R. § 164.502(a)), failure to enter into a business associate agreement with a subcontractor (45 C.F.R. § 164.502(e)(1)(ii)), and failing to adequately assess potential risks to the confidentiality, integrity, and availability of electronic PHI (45 C.F.R. § 164.308(a)(1)(ii)(A)).
Settlement and Corrective Action Plan Imposed on MedEvolve in Arkansas HIPAA Case
MedEvolve settled the case without admitting any liability or wrongdoing and agreed to pay a monetary penalty of USD 350,000. The settlement also includes a corrective action plan that imposes specific obligations on MedEvolve. These obligations include conducting a comprehensive and accurate risk assessment, implementing risk management plans to mitigate identified risks, developing and maintaining policies and procedures to comply with the HIPAA Privacy and Security Rules, and improving its HIPAA and security training program.
“Ensuring that security measures are in place to protect electronically protected health information where it is stored is an integral part of cybersecurity and the protection of patient privacy, HIPAA-regulated entities must ensure that they are not leaving patient health information unsecured on network servers available to the public via the Internet.”
said OCR Director Melanie Fontes Rainer
Following settlements with David Mente, MA, LPC, for $15,000 and Life Hope Labs, LLC, for $16,500 for HIPAA access violations, and Banner Health, LLC, for $1,250,000 for multiple violations of the HIPAA Security Rule, this is the fourth HIPAA fine that OCR imposed this year.
