Failure to conduct risk analysis leads to OCR penalties for business associate

On May 23, 2019, the Department of Health and Human Services Office for Civil Rights (OCR) announced that Medical Informatics Engineering, Inc. (MIE) had agreed to pay $100,000 to OCR and adopt a corrective action plan to settle possible violations of the HIPAA Privacy and Security Rules.

MIE provides software and electronic medical record services to health care providers. On May 26, 2015, MIE found suspicious activity on one if its servers and upon further examination determined that unauthorized access to its network began on May 7, 2015, leading to hackers accessing electronic PHI (ePHI) of approximately 3.5 million people. Access was based on a compromised user ID and password.

On July 23, 2015, MIE filed a breach report to OCR and OCR’s investigation determined in part that MIE did not conduct a comprehensive risk analysis, as required by the HIPAA Security Rule, prior to the breach by the hackers. OCR Director Roger Severino stated “[e]ntities with medical records must be on guard against hackers” and “[t]he failure to identify potential risks and vulnerabilities to ePHI opens the door to breaches and violates HIPAA.”

MIE’s corrective action plan requires MIE in part to develop a complete inventory of all of its facilities, categories of electronic equipment, data system and applications that create, receive, transmit or maintain ePHI and subsequently conduct a risk analysis that evaluates the risks to ePHI on MIE’s inventory.

Interestingly, the day after OCR’s MIE settlement press release, OCR issued a press release providing that it has issued a new fact sheet to list out all HIPAA provisions through which a business associate can be held directly liable for HIPAA compliance.

OCR’s press release about this settlement can be found here and OCR’s press release about the new fact sheet for business associates can be found here.