HHS’ Office for Civil Rights (OCR) announced a settlement of potential violations of the HIPAA Privacy and Security Rules with iHealth Solutions, LLC, a Kentucky-based business associate that provides coding, billing, and onsite information technology services to health care providers. The settlement involved a data breach, where a network server containing the protected health information of 267 individuals was left unsecure on the internet.
In August 2017, OCR initiated an investigation of iHealth Solutions following the receipt of a breach report stating that iHealth Solutions had experienced an unauthorized transfer of protected health information, known as exfiltration, from its unsecured server. The protected health information included patient names, dates of birth, addresses, Social Security numbers, email addresses, diagnoses, treatment information, medical procedures, and medical histories. In addition to the impermissible disclosure of protected health information, OCR’s investigation found evidence of the potential failure by iHealth Solutions to have in place an analysis to determine risks and vulnerabilities to electronic protected health information across the organization.
iHealth Solutions has paid $75,000 to OCR and agreed to implement a corrective action plan, which identifies steps iHealth Solutions will take to resolve potential violations of the HIPAA Privacy and Security Rules and protect the security of electronic protected health information.
Although you probably have other issues on your mind, now is a good time to conduct an internal audit for all aspects of HIPAA compliance. A little bit of effort can save you from leaking sensitive patient data, paying a massive fine and being the target of a Federal investigation. Don’t let your practice be featured in the next press release from HHS!