On May 16, 2023, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced a $350,000 settlement with MedEvolve, Inc., a practice and revenue cycle management and practice analytics software services company, to resolve alleged violations of the Health Insurance Portability and Accountability Act (“HIPAA”) regulations. The settlement concludes OCR’s five-year investigation into the business associate, after a breach notification report claiming a server containing the protected health information (“PHI”) of over 200,000 individuals was openly accessible on the Internet. Notably, OCR also found that MedEvolve failed to enter into a business associate agreement with a subcontractor and that the company’s “assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by it as a business associate was not sufficiently accurate or thorough.”
In addition to a monetary settlement, MedEvolve has agreed to a two year corrective action plan, where OCR will monitor the business associate’s compliance with HIPAA. Among other obligations, the corrective action plan requires MedEvolve to develop and implement a risk management plan to identify security risks and vulnerabilities, and augment its current HIPAA and Security training program.
The HIPAA Privacy, Security, and Breach Notification Rules apply to most health care entities and those who maintain, access, use and/or disclose PHI when they do business with them. This settlement serves as a reminder that it is critical for covered entities, business associates, and their subcontractors to comply with the requirements imposed by the HIPAA regulations, which includes securing (encrypting) PHI and entering into downstream business associate agreements.