The Department of Health and Human Services Office for Civil Rights (OCR) has shown once again that it is willing to enforce HIPAA against business associates, as seen in a recent settlement. The settlement highlights the importance of thorough risk analysis conducted by business associates and covered entities, as required by the HIPAA Security Rule, and serves as an indication that OCR remains ready to exercise its authority to enforce HIPAA’s requirements for business associates. Following the settlement, OCR released a fact sheet that provides guidance for HIPAA compliance and direct liability for business associates.
On May 23, 2019, OCR announced a settlement with a business associate relating to a 2015 data breach. The business associate provides software to healthcare providers that allows patients to access and manage their electronic health records through a patient portal. The company has agreed to pay OCR $100,000 to settle potential violations of HIPAA.
In July 2015, the company filed a breach report with OCR following discovery that hackers had used a compromised user ID and password to access the electronic protected health information (ePHI) of approximately 3.5 million individuals. The hackers gained access to a server containing names, addresses, usernames, passwords, and health insurance information. An investigation by OCR revealed that the company did not conduct a comprehensive risk analysis prior to the breach. In addition to a $100,000 settlement with OCR, the company will also undergo a two-year corrective action plan that includes a complete, enterprise-wide risk analysis. As part of the corrective action plan, the company has agreed to: