Deeper Than the Headlines: OCR Settlements for May 2019

The OCR recently announced its next major HIPAA enforcement settlement: A diagnostic medical imaging services company in Tennessee is paying $3,000,000 to settle a breach exposing over 300,000 patients’ protected health information. The company, Touchstone Medical Imaging, also agreed to adopt a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security and Breach Notification Rules. Touchstone is based in Franklin, Tennessee, and provides diagnostic medical imaging services in Nebraska, Texas, Colorado, Florida, and Arkansas.

In May 2014, Touchstone was notified by the Federal Bureau of Investigation (FBI) and OCR that one of its FTP servers allowed uncontrolled access to its patients’ protected health information (PHI). This uncontrolled access permitted search engines to index the PHI of Touchstone’s patients, which remained visible on the Internet even after the server was taken offline.

According to OCR, Touchstone initially claimed that no patient PHI was exposed. However, during OCR’s investigation, Touchstone subsequently admitted that the PHI of more than 300,000 patients was exposed including names, birth dates, social security numbers, and addresses.  OCR’s investigation found that Touchstone did not thoroughly investigate the security incident until several months after notice of the breach from both the FBI and OCR. Consequently, Touchstone’s notification to individuals affected by the breach was also untimely. OCR’s investigation further found that Touchstone failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of its electronic PHI (ePHI), and failed to have business associate agreements in place with its vendors, including their IT support vendor and a third-party data center provider.

OCR Director, Roger Severino, said “Covered entities must respond to suspected and known security incidents with the seriousness they are due, especially after being notified by two law enforcement agencies of a problem. Neglecting to have a comprehensive, enterprise-wide risk analysis, as illustrated by this case, is a recipe for failure.”

In addition to the monetary settlement, Touchstone will undertake a robust corrective action plan that includes the adoption of business associate agreements, completion of enterprise-wide risk analysis, and comprehensive policies and procedures to comply with the HIPAA Rules.

Some of the requirements in the corrective action plan include the following: Touchstone shall conduct and complete an accurate, thorough, enterprise- wide analysis of security risks and vulnerabilities that incorporates all electronic equipment, data systems, programs, and applications controlled, administered, owned, or shared by Touchstone or its affiliates that contain, store, transmit or receive ePHI. As part of this process, Touchstone shall develop a complete inventory of all electronic equipment, data systems, off-site data storage facilities, and applications that contain or store ePHI which will then be incorporated in its Risk Analysis.

Touchstone shall review and revise its written policies and procedures to comply with the Privacy, Security, and Breach Notification Rules including, but not limited to:

• Technical access controls for any and all network/server equipment and systems to prevent impermissible access and disclosure of ePHI
• Technical access control and restriction for all software applications that contain ePHI to ensure authorized access is limited to the minimum amount necessary
• Technical mechanisms to create access and activity logs as well as administrative procedures to routinely review logs for suspicious events and respond appropriately.
• Termination of user accounts when necessary and appropriate
• Required and routine password changes
• Password strength and safeguarding
• Addressing and documenting security incidents

Each workforce member who is required to receive training shall certify, in electronic or written form, that he or she received the training. The training certification shall specify the date on which the training was received. All training materials and certifications shall be retained.

This settlement demonstrates that the OCR is not slowing down on their efforts to enforce HIPAA standards. If your organization hasn’t performed an annual risk assessment and management plan you should complete one as soon as possible.