Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Inmediata Health Group, LLC (Inmediata), a health care clearinghouse, over potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. This follows a complaint to OCR that HIPAA-protected health information was accessible to search engines like Google on the internet.
“Health care entities must ensure that patient health information is not left accessible online to anyone with an internet connection,” said OCR Director Melanie Fontes Rainer. “Effective cybersecurity requires being proactive and vigilant in identifying risks and vulnerabilities to health data and preventing unauthorized access to patient information.”
OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which outline the requirements that health plans, health care clearinghouses, most health care providers, and their business associates must follow to protect the privacy and security of protected health information (PHI). The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information created, received, used, or maintained by a covered entity. It also mandates appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information (ePHI).
In 2018, OCR received a complaint about PHI being left unsecured on the internet. After OCR initiated an investigation, Inmediata provided breach notifications to HHS and the affected individuals. OCR’s investigation found that from May 2016 through January 2019, the PHI of 1,565,338 individuals was publicly available online. The disclosed PHI included patient names, dates of birth, home addresses, Social Security numbers, claims information, diagnoses/conditions, and other treatment information. These unauthorized disclosures were potential violations of the HIPAA Privacy Rule.
The investigation also identified multiple potential HIPAA Security Rule violations, including Inmediata’s failure to conduct a compliant risk analysis to identify potential risks and vulnerabilities to ePHI in its systems, and to monitor and review its health information systems’ activity. The settlement resolves OCR’s investigation concerning this HIPAA breach.
Under the settlement terms, Inmediata paid OCR $250,000. OCR determined that a corrective action plan was unnecessary in this resolution since Inmediata had already agreed to a settlement with 33 states, which includes corrective actions addressing OCR’s findings.
OCR recommends that healthcare providers, health plans, clearinghouses, and business associates covered by HIPAA take the following steps to protect ePHI:
- Review all vendor and contractor relationships to ensure business associate agreements are in place as appropriate and address breach/security incident obligations.
- Integrate risk analysis and risk management into business processes, conducted regularly and when new technologies and business operations are planned.
- Ensure audit controls are in place to record and examine information system activity.
- Implement regular reviews of information system activity.
- Utilize multi-factor authentication to ensure only authorized users access ePHI.
- Encrypt ePHI to guard against unauthorized access.
- Incorporate lessons learned from incidents into the overall security management process.
- Provide regular training specific to the organization and job responsibilities, reinforcing workforce members’ critical role in protecting privacy and security.