October 19, 2021

Volume XI, Number 292

Advertisement
Advertisement

October 19, 2021

Subscribe to Latest Legal News and Analysis

October 18, 2021

Subscribe to Latest Legal News and Analysis

Alert: OCR Announces $3 Million HIPAA Enforcement Settlement for Breach of 300,000 Patients’ PHI

On May 6, 2019, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced an agreement  with Touchstone Medical Imaging, LLC (Touchstone), settling allegations that Touchstone violated the Health Insurance Portability and Accountability Act (HIPAA) Security Rule by allowing uncontrolled public access to patients’ protected health information (PHI).

Touchstone provides diagnostic medical imaging services in multiple states, including Nebraska, Texas, Colorado, Florida, and Arkansas. In May 2014, OCR received an email that alleged the Social Security numbers of Touchstone’s patients were available online through an insecure file transfer protocol web server. Touchstone learned of the insecure web server the same day OCR was notified. OCR initially investigated the allegation within a few days and discovered that PHI, including Social Security numbers, was visible through a Google search. Following a full investigation, OCR determined that names, dates of births, phone numbers, and addresses of over 300,000 patients had been accessible to the public through the insecure web server. Some patients’ Social Security numbers were also released. In addition, OCR discovered that Touchstone failed to enter into required business associate agreements, failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI, and failed to notify affected individuals and media outlets of the breach in a timely manner.

As a result of the Resolution Agreement and Corrective Action Plan, Touchstone must pay $3 million in penalties to HHS and adhere to a Corrective Action Plan that requires it to:

  • conduct an accounting of its business associates and provide HHS with its business associate agreements within 60 days;
  • complete an analysis of security risks and vulnerabilities that incorporates all electronic equipment, data systems, programs, and applications of Touchstone or its affiliates that contain, store, transmit, or receive Touchstone e-PHI and submit the analysis to HHS for its approval;
  • review and revise its written policies to comply with the Privacy, Security, and Breach Notification Rules and submit the policies to HHS for its approval;
  • distribute its policies and procedures to its entire workforce, and to new workers within their first 14 days, and require new workers to sign a certification form stating they have read, understood, and will abide by the policies and procedures;
  • prepare and submit to HHS for its approval proposed training materials for Touchstone’s workforce and provide training to all members of its workforce and new workers within their first 14 days of work; and
  • submit to HHS an annual report that includes the company’s status in complying with the Corrective Action Plan, an updated accounting of business associates, a copy of all training materials, and verification that all members of the workforce have received the necessary training.

OCR announced this settlement just one week after HHS announced that it will lower the maximum penalties it will assess for some HIPAA violations. Although the Touchstone Resolution Agreement was negotiated before the new limits took effect, it seems unlikely that the new guidelines would have lowered the penalty in this case. Under the new guidelines, the maximum amount for the most serious HIPAA violations remains unchanged at $1.5 million per type of violation per year. Given the OCR’s findings in this case—in particular that the breach came to light only after a third party reported it and that Touchstone failed to timely notify affected individuals of the breach—it seems likely that OCR would have placed this violation within the most serious category of violations in determining how much to assess. Thus, the Touchstone settlement reminds us that, notwithstanding the new guidelines, significant, uncorrected violations may still result in large monetary penalties and close monitoring from HHS.

Copyright © by Ballard Spahr LLPNational Law Review, Volume IX, Number 128
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Edward I. Leeds, Philadelphia attorney, Ballard Spahr Law firm, Employee Benefits and Executive Compensationattorney
Counsel

Edward I. Leeds concentrates on issues relating to the design, administration, and taxation of health and other welfare benefit plans. His practice has evolved with the laws and market forces that shape those plans. Mr. Leeds advises clients about compliance with the Affordable Care Act, HIPAA, HITECH, COBRA, cafeteria plan rules, and other legal requirements. He prepares clients for audits of their privacy and security measures under HIPAA and advises them about the rules governing wellness initiatives.

Mr. Leeds represents employers in the negotiation and drafting of contracts...

215.864.8419
Paige A. Haughton Employment Lawyer Ballard Spahr Law Firm
Associate

Paige A. Haughton is an associate in the firm's Employee Benefits and Executive Compensation Group. She advises corporate and nonprofit clients on employee benefit and executive compensation matters. She assists clients with the design, administration, and governance of retirement, health and welfare plans. In addition, Paige works with clients to ensure compliance with applicable statutes and regulations, including ERISA, the Internal Revenue Code, HIPAA, and COBRA.

During law school, Paige served as a law school research assistant, researching and writing on insurance law matters...

612-371-5773
Advertisement
Advertisement
Advertisement