On May 6, 2019, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced an agreement  with Touchstone Medical Imaging, LLC (Touchstone), settling allegations that Touchstone violated the Health Insurance Portability and Accountability Act (HIPAA) Security Rule by allowing uncontrolled public access to patients’ protected health information (PHI).

Touchstone provides diagnostic medical imaging services in multiple states, including Nebraska, Texas, Colorado, Florida, and Arkansas. In May 2014, OCR received an email that alleged the Social Security numbers of Touchstone’s patients were available online through an insecure file transfer protocol web server. Touchstone learned of the insecure web server the same day OCR was notified. OCR initially investigated the allegation within a few days and discovered that PHI, including Social Security numbers, was visible through a Google search. Following a full investigation, OCR determined that names, dates of births, phone numbers, and addresses of over 300,000 patients had been accessible to the public through the insecure web server. Some patients’ Social Security numbers were also released. In addition, OCR discovered that Touchstone failed to enter into required business associate agreements, failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI, and failed to notify affected individuals and media outlets of the breach in a timely manner.

As a result of the Resolution Agreement and Corrective Action Plan, Touchstone must pay $3 million in penalties to HHS and adhere to a Corrective Action Plan that requires it to:

• conduct an accounting of its business associates and provide HHS with its business associate agreements within 60 days;
• complete an analysis of security risks and vulnerabilities that incorporates all electronic equipment, data systems, programs, and applications of Touchstone or its affiliates that contain, store, transmit, or receive Touchstone e-PHI and submit the analysis to HHS for its approval;
• review and revise its written policies to comply with the Privacy, Security, and Breach Notification Rules and submit the policies to HHS for its approval;
• distribute its policies and procedures to its entire workforce, and to new workers within their first 14 days, and require new workers to sign a certification form stating they have read, understood, and will abide by the policies and procedures;
• prepare and submit to HHS for its approval proposed training materials for Touchstone’s workforce and provide training to all members of its workforce and new workers within their first 14 days of work; and
• submit to HHS an annual report that includes the company’s status in complying with the Corrective Action Plan, an updated accounting of business associates, a copy of all training materials, and verification that all members of the workforce have received the necessary training.

OCR announced this settlement just one week after HHS announced that it will lower the maximum penalties it will assess for some HIPAA violations. Although the Touchstone Resolution Agreement was negotiated before the new limits took effect, it seems unlikely that the new guidelines would have lowered the penalty in this case. Under the new guidelines, the maximum amount for the most serious HIPAA violations remains unchanged at $1.5 million per type of violation per year. Given the OCR’s findings in this case—in particular that the breach came to light only after a third party reported it and that Touchstone failed to timely notify affected individuals of the breach—it seems likely that OCR would have placed this violation within the most serious category of violations in determining how much to assess. Thus, the Touchstone settlement reminds us that, notwithstanding the new guidelines, significant, uncorrected violations may still result in large monetary penalties and close monitoring from HHS.