The Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) announced that it has entered into a settlement with a business associate that provides electronic medical records services to health care providers. The resolution agreement requires Medical Informatics Engineering, Inc. (MIE) to pay $100,000 and adhere to a corrective action plan. Under the corrective action plan, MIE must conduct a security risk assessment and implement a security risk management plan under OCR supervision.

The breach that gave rise to the settlement resulted from a compromised user name and password that allowed hackers access to the electronic protected health information of 3.5 million people. The compromised information included names, addresses, birth dates, Social Security numbers, e-mail addresses, clinical information, and health insurance information. As required by HIPAA, MIE reported the breach.OCR investigated and found that MIE had failed to conduct an accurate and thorough security risk analysis.

Direct Liability. Shortly after OCR announced this settlement, HHS published guidance on the broad range of HIPAA violations for which a business associate may be held directly liable. These violations include:

• The failure to meet a wide range of HIPAA’s security rules (as in the settlement)

• Impermissible uses and disclosures of Protected Health Information (PHI)

• The lack of a reasonable effort to limit PHI to the minimum necessary in the applicable circumstances

• The failure to respond appropriately to requests by individuals exercising their rights with regard to their own protected health information

• The failure to enter into a business associate agreement with a subcontractor that receives or creates PHI for the business associate

• The failure to send appropriate notice of a breach

In tandem, the guidance and settlement serve as strong warnings to business associates that they may be held directly liable for acts or omissions that do not meet HIPAA standards.

Penalty Limits. While sounding the alarm of potential liability, the settlement also may echo the reduced maximum limits on penalties, which OCR announced in April. On the basis of the information revealed and the numbers affected, the penalty sought from MIE could have been much larger. Under OCR guidance, the minimum penalty that applies (when even reasonable diligence would not have prevented the breach) would be based on $100 per violation. With 3.5 million people affected, that would come to $350 million, if no maximum dollar limit applied.

However, OCR has set a dollar cap that applies for each type of violation. In this case, OCR cited only one type of violation: the failure to conduct an appropriate security risk assessment. Under prior guidance, the cap for any type of violation was $1.5 million. However, new guidance sets forth smaller limits for violations that it considers less blameworthy. In this case, the $100,000 penalty matches the maximum that may be imposed for a violation that is due to reasonable cause.

More detailed information would be needed to determine whether and how the new limits on penalties applied in this case, but the amount of the penalty suggests that OCR may have taken the new limits into account in reaching the recently announced settlement.