Last week, Indiana based Medical Informatics Engineering, Inc. (MIE) agreed to pay $100,000 to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR). MIE provides electronic health record and related services to healthcare entities. MIE also committed to a two-year corrective action plan to resolve potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules.
Separately, MIE agreed to pay $900,000 to 16 states whose attorneys general had sued the company over a related data breach. The suit was the first of its kind premised on a HIPAA violation. The attorneys general accused MIE violating state personal information protection laws, breach notification laws, and deceptive trade practices laws.
The state settlement required MIE to implement and maintain an information security program sufficiently robust to check cyberattacks. The company also agreed to install technology to prevent data exfiltration.
MIE had earlier informed OCR that hackers had accessed the electronic protected health information (ePHI) of about 3.5 million people. See 45 C.F.R. § 164.502(a). An OCR investigation determined that MIE had not conducted a mandatory comprehensive risk analysis before the incident. HIPAA Rules require entities to assess the potential threats to the integrity of an entity’s ePHI. See 45 C.F.R. § 164.308(a)(l)(ii)(A).
OCR Director Roger Severino noted that the “failure to identify potential risks and vulnerabilities to ePHI opens the door to breaches and violates HIPAA.” North Carolina Attorney General Josh Stein stated that the breach had put sensitive health data at risk.
MIE denies all wrong doing and neither resolution required an admission of fault. However, the states’ complaint stated that MIE (1) failed to implement adequate security controls, (2) did not address known vulnerabilities, (3) failed to use encryption, (4) did not adequately train staff in security issues and (5) failed to address the breach in an appropriate manner. These measures provide a useful checklist for any healthcare counsel, CIO, or CISO looking to avert the next OCR fine or multi-state lawsuit.
Saad Gul and Mike Slipsky, editors of NC Privacy Law Blog, are partners with Poyner Spruill LLP. They advise clients on a wide range of privacy, data security, and cyber liability issues, including risk management plans, regulatory compliance, cloud computing implications, and breach obligations. Saad (@NC_Cyberlaw) may be reached at 919.783.1170 or email@example.com. Mike may be reached at 919.783.2851 or firstname.lastname@example.org.