On May 6, 2019, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced a settlement with Touchstone Medical Imaging (Touchstone), a diagnostic medical imaging services provider, requiring a three million dollar financial settlement and a two-year Corrective Action Plan.
There are a number of lessons that HIPAA covered entities and business associates can glean from the Touchstone enforcement action, a notable one being that an entity should promptly and thoroughly investigate any security incident or potential data breach. Both OCR and the Federal Bureau of Investigation (FBI) notified Touchstone that one of its FTP servers was allowing uncontrolled access to patients’ protected health information (PHI). After initially denying the exposure, Touchstone eventually reported a breach of more than 300,000 social security numbers and other PHI. OCR found that both Touchstone’s investigation of the incident, as well as its notification, were not handled in a timely manner.
In investigating Touchstone, OCR also found that the entity did not conduct an accurate and thorough risk analysis—a key enforcement priority of OCR in recent years. As part of its Corrective Action Plan, Touchstone is required to conduct an enterprise-wide risk analysis, including creating an inventory of all of its equipment, systems, applications and off-site storage facilities that contain PHI. This is a key element for any organization in order to decide what systems and processes best secure PHI and other sensitive data.
In addition, OCR detailed that Touchstone failed to execute business associate agreements with its vendors, including its information technology vendors, prior to the disclosure of PHI. Similar to prior settlements, the Touchstone settlement emphasizes the importance of understanding which vendors will receive or have access to an organization’s PHI and having the parties involved execute a business associate agreement at the outset of the arrangement.