Topics
More on Compliance & Legal

OCR settles HIPAA investigation into protected health information at MedEvolve

A data breach left the protected health information of 230,572 people exposed, leading to a monetary fine and mandatory oversight.

Jeff Lagasse, Editor

Photo: Al David Sacks/Getty Images

The U.S. Department of Health and Human Services' Office for Civil Rights has settled with MedEvolve for $350,000 over potential HIPAA violations regarding a data breach in which a server containing protected health information was left unsecure and accessible over the internet.

MedEvolve provides practice management, revenue cycle management and practice analytics software services to covered healthcare entities. OCR's investigation found that a 2018 data breach left the protected health information of 230,572 people exposed – a potential HIPAA violation. The HIPAA Privacy, Security, and Breach Notification Rules apply to most healthcare breaches and set the requirements that HIPAA-regulated entities must follow to protect the privacy and security of health information.

The potential violations in this case include the lack of an analysis to determine risks and vulnerabilities to electronic protected health information across the organization and the failure to enter into a business associate agreement with a subcontractor, said OCR.

The HIPAA Rules require that covered entities and business associates – a person or entity that has access to protected health information as part of their relationship with a covered entity – enter into contracts that generally document the permissible uses and disclosures of protected health information, and ensure appropriate safeguards will be implemented, and that the covered entity will be notified of any breaches.

In addition to the monetary settlement, MedEvolve agreed to implement a corrective action plan to better shore up its data security.

WHAT'S THE IMPACT

The investigation was initiated in July 2018, following a breach notification report stating that a server containing electronic protected health information was openly accessible to the internet. The information included patient names, billing addresses, telephone numbers, primary health insurer and doctor's office account numbers, and in some cases Social Security numbers.

OCR investigates such breaches if they involve the protected health information of 500 people or more. Hacking/IT incidents was the most frequent (79%) type of large breach that was reported to OCR in 2022. Network servers are the largest category by location for these breaches.

THE LARGER TREND

As part of the settlement, MedEvolve will be monitored for two years to ensure HIPAA compliance. 

The organization has also agreed to take a number of steps, including conducting a risk analysis and developing a risk management plan to identify security risks.

MedEvolve will also maintain and revise its written policies and procedures, augment its existing HIPAA and Security Training Program for all MedEvolve workforce members who have access to protected health information, and report to HHS within 60 days days when workforce members fail to comply with the written policies and HIPAA rules.

ON THE RECORD

"Ensuring that security measures are in place to protect electronic protected health information where it is stored is an integral part of cybersecurity and the protection of patient privacy," said OCR Director Melanie Fontes Rainer. "HIPAA regulated entities must ensure that they are not leaving patient health information unsecured on network servers available to the public via the internet."
 

Twitter: @JELagasse
Email the writer: Jeff.Lagasse@himssmedia.com