The following announcement by HHS OCR stems from an accidental exposure of protected health information online that continued for several years. Inmediata’s incident resulted in a class action lawsuit that was settled for $1.1 million in 2022, and a settlement with 33 states for $1.14 million in 2023. HHS seems to be the first to have been aware of the incident and the last to settle with Inmediata about it.
$250,000 settlement resolves longstanding HIPAA Security Rule failures
Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Inmediata Health Group, LLC (Inmediata), a health care clearinghouse, concerning potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule, following OCR’s receipt of a complaint that HIPAA protected health information was accessible to search engines like Google, on the internet.
“Health care entities must ensure that they are not leaving patient health information accessible online to anyone with an internet connection,” said OCR Director Melanie Fontes Rainer. “Effective cybersecurity means being proactive and vigilant in searching for risks and vulnerabilities to health data and preventing unauthorized access to patient health information.”
OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which sets forth the requirements that health plans, health care clearinghouses, and most health care providers, and their business associates must follow to protect the privacy and security of protected health information (PHI). The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. It also requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information (ePHI).
In 2018, OCR received a complaint concerning PHI left unsecured on the internet. Following the initiation of OCR’s investigation, Inmediata provided breach notification to HHS, and affected individuals. OCR’s investigation determined that from May 2016 through January 2019, the PHI of 1,565,338 individuals was made publicly available online. The PHI disclosed included patient names, dates of birth, home addresses, Social Security numbers, claims information, diagnosis/conditions and other treatment information. These impermissible disclosures of PHI were potential violations of the HIPAA Privacy Rule.
OCR’s investigation also identified multiple potential HIPAA Security Rule violations including: failures by Inmediata to conduct a compliant risk analysis to determine the potential risks and vulnerabilities to ePHI in its systems; and to monitor and review its health information systems’ activity. The settlement resolves OCR’s investigation concerning this HIPAA breach.
Under the terms of the settlement, Inmediata paid OCR $250,000. OCR determined that a corrective action plan was not necessary in this resolution as Inmediata had previously agreed to a settlement – PDF with 33 states that includes corrective actions that address OCR’s findings in this matter.
OCR recommends health care providers, health plans, clearinghouses, and business associates that are covered by HIPAA take the following steps to protect ePHI:
- Review all vendor and contractor relationships to ensure business associate agreements are in place as appropriate and address breach/security incident obligations.
- Integrate risk analysis and risk management into business processes; conducted regularly and when new technologies and business operations are planned.
- Ensure audit controls are in place to record and examine information system activity.
- Implement regular review of information system activity.
- Utilize multi-factor authentication to ensure only authorized users are accessing ePHI.
- Encrypt ePHI to guard against unauthorized access to ePHI.
- Incorporate lessons learned from incidents into the overall security management process.
- Provide training specific to organization and job responsibilities and on regular basis; reinforce workforce members’ critical role in protecting privacy and security.
The resolution agreement may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/inmediata-health-group-ra-cap/index.html
Source: HHS