OCR Announces $3 Million HIPAA Enforcement Settlement for Breach of 300,000 Patients’ PHI

On May 6, 2019, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced an agreement  with Touchstone Medical Imaging, LLC (Touchstone), settling allegations that Touchstone violated the Health Insurance Portability and Accountability Act (HIPAA) Security Rule by allowing uncontrolled public access to patients’ protected health information (PHI).

Touchstone provides diagnostic medical imaging services in multiple states, including Nebraska, Texas, Colorado, Florida, and Arkansas. In May 2014, OCR received an email that alleged the Social Security numbers of Touchstone’s patients were available online through an insecure file transfer protocol web server. Touchstone learned of the insecure web server the same day OCR was notified. OCR initially investigated the allegation within a few days and discovered that PHI, including Social Security numbers, was visible through a Google search. Following a full investigation, OCR determined that names, dates of births, phone numbers, and addresses of over 300,000 patients had been accessible to the public through the insecure web server. Some patients’ Social Security numbers were also released. In addition, OCR discovered that Touchstone failed to enter into required business associate agreements, failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI, and failed to notify affected individuals and media outlets of the breach in a timely manner.

As a result of the Resolution Agreement and Corrective Action Plan, Touchstone must pay $3 million in penalties to HHS and adhere to a Corrective Action Plan that requires it to:

• conduct an accounting of its business associates and provide HHS with its business associate agreements within 60 days;
• complete an analysis of security risks and vulnerabilities that incorporates all electronic equipment, data systems, programs, and applications of Touchstone or its affiliates that contain, store, transmit, or receive Touchstone e-PHI and submit the analysis to HHS for its approval;
• review and revise its written policies to comply with the Privacy, Security, and Breach Notification Rules and submit the policies to HHS for its approval;
• distribute its policies and procedures to its entire workforce, and to new workers within their first 14 days, and require new workers to sign a certification form stating they have read, understood, and will abide by the policies and procedures;
• prepare and submit to HHS for its approval proposed training materials for Touchstone’s workforce and provide training to all members of its workforce and new workers within their first 14 days of work; and
• submit to HHS an annual report that includes the company’s status in complying with the Corrective Action Plan, an updated accounting of business associates, a copy of all training materials, and verification that all members of the workforce have received the necessary training.

OCR announced this settlement just one week after HHS announced that it will lower the maximum penalties it will assess for some HIPAA violations. Although the Touchstone Resolution Agreement was negotiated before the new limits took effect, it seems unlikely that the new guidelines would have lowered the penalty in this case. Under the new guidelines, the maximum amount for the most serious HIPAA violations remains unchanged at $1.5 million per type of violation per year. Given the OCR’s findings in this case—in particular that the breach came to light only after a third party reported it and that Touchstone failed to timely notify affected individuals of the breach—it seems likely that OCR would have placed this violation within the most serious category of violations in determining how much to assess. Thus, the Touchstone settlement reminds us that, notwithstanding the new guidelines, significant, uncorrected violations may still result in large monetary penalties and close monitoring from HHS.

Ballard Spahr's HIPAA Compliance Team, comprising attorneys from various disciplines, advises health care providers, health plans, and their business associates on the privacy and security requirements under HIPAA. Our attorneys provide guidance on security rule practices and policies; prepare HIPAA policies, forms, vendor agreements, and other compliance documentation; prepare training tools and conduct HIPAA compliance training; and advise clients about OCR audit requirements.

Copyright © 2019 by Ballard Spahr LLP.
www.ballardspahr.com
(No claim to original U.S. government material.)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.