Melaniefontesrainerhhs
OCR Director Melanie Fontes Rainer (right) with HHS Sec. Xavier Becerra | U.S. Department of Health and Human Services

OCR's Ranier: Patient information must be protected 'and not accessible to just anyone with an internet connection'

A Kentucky-based business that provides services to the healthcare industry has agreed to pay $75,000 and implement corrective actions to settle alleged violations of patient privacy. The violations involved a data breach that left hundreds of patients' personal information unsecured and online.

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced June 28 that it had reached the settlement with iHealth Solutions, LLC, doing business as Advantum Health. The company, which provides billing, coding and onsite information technology services to healthcare providers, is charged with violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules, according to the announcement. 

"The settlement involved a data breach, where a network server containing the protected health information of 267 individuals was left unsecure on the internet," HHS reported in the news release. "The HIPAA Privacy, Security, and Breach Notification Rules set the requirements that HIPAA-regulated entities must follow to protect the privacy and security of health information."

OCR opened an investigation in August 2017 into iHealth Solutions after receiving a breach report citing that the company "had experienced an unauthorized transfer of protected health information, known as exfiltration, from its unsecured server," the news release stated. The information included "patient names, dates of birth, addresses, Social Security numbers, email addresses, diagnoses, treatment information, medical procedures, and medical histories," the release reported.

The investigation also discovered evidence iHealth Solutions lacked any type of analysis to determine if there were risks or vulnerabilities to electronic health information in its organization, according to the release. 

In addition to paying a $75,000 fine for the data breach, iHealth Solutions must also implement a "corrective action plan" that includes identifying the measures the company will take to resolve potential HIPAA violations and protect patients' health information. Steps include conduct a precise and comprehensive audit of its business to identify any potential risks and weaknesses that could affect the electronic protected health information it has; create and implement a risk management strategy to address and reduce security risks and vulnerabilities that could affect the availability, confidentiality, and integrity of the organization's digitally protected health information; enact a procedure for assessing operational and environmental changes that impact the security of electronic protected health information; and create, maintain, and update its documented HIPAA policies and procedures as appropriate, according to the release.

As part of the settlement agreement, OCR will monitor iHealth Solutions for two years to make sure the company complies with the HIPAA security rule, the release stated.

"HIPAA business associates must protect the privacy and security of the health information they are entrusted with by HIPAA covered entities," OCR Director Melanie Fontes Rainer said in the news release. "Effective cybersecurity includes ensuring that electronic protected health information is secure, and not accessible to just anyone with an internet connection."