Nixon Peabody LLP

  • People
  • Capabilities
  • Insights
  • About

Trending Topics

    • People
    • Capabilities
    • Insights
    • About
    • Locations
    • Events
    • Careers
    • Alumni

    Practices

    View All

    • Affordable Housing
    • Community Development Finance
    • Corporate & Finance
    • Cybersecurity & Privacy
    • Environmental
    • Franchising & Distribution
    • Government Investigations & White Collar Defense
    • Healthcare
    • Intellectual Property
    • International Services
    • Labor & Employment
    • Litigation
    • Private Wealth & Advisory
    • Project Finance
    • Public Finance
    • Real Estate
    • Regulatory & Government Relations

    Industries

    View All

    • Cannabis
    • Consumer
    • Energy
    • Entertainment
    • Financial Services
    • Healthcare
    • Higher Education
    • Infrastructure
    • Manufacturing
    • Non Profit
    • Real Estate
    • Technology

    Value-Added Services

    View All

    • Alternative Fee Arrangements

      Developing innovative pricing structures and alternative fee agreement models that deliver additional value for our clients.

    • Continuing Education

      Advancing professional knowledge and offering credits for attorneys, staff and other professionals.

    • Crisis Advisory

      Helping clients respond correctly when a crisis occurs.

    • DEI Strategic Services

      Providing our clients with legal, strategic, and practical advice to make transformational changes in their organizations.

    • eDiscovery

      Leveraging law and technology to deliver sound solutions.

    • Global Services

      Delivering seamless service through partnerships across the globe.

    • Innovation

      Leveraging leading-edge technology to guide change and create seamless, collaborative experiences for clients and attorneys.

    • IPED

      Industry-leading conferences focused on affordable housing, tax credits, and more.

    • Legal Project Management

      Providing actionable information to support strategic decision-making.

    • Legally Green

      Teaming with clients to advance sustainable projects, mitigate the effects of climate change, and protect our planet.

    • Nixon Peabody Trust Company

      Offering a range of investment management and fiduciary services.

    • NP Capital Connector

      Bringing together companies and investors for tomorrow’s new deals.

    • NP Second Opinion

      Offering fresh insights on cases that are delayed, over budget, or off-target from the desired resolution.

    • NP Trial

      Courtroom-ready lawyers who can resolve disputes early on clients’ terms or prevail at trial before a judge or jury.

    • Social Impact

      Creating positive impact in our communities through increasing equity, access, and opportunity.

    1. Home
    2. Insights
    3. Articles
    4. Failure to conduct risk analysis leads to OCR penalties for business associateArticles

    Article

    Failure to conduct risk analysis leads to OCR penalties for business associate

    June 11, 2019

    Share

    By Jéna Grady

    On May 23, 2019, the Department of Health and Human Services Office for Civil Rights (OCR) announced that Medical Informatics Engineering, Inc. (MIE) had agreed to pay $100,000 to OCR and adopt a corrective action plan to settle possible violations of the HIPAA Privacy and Security Rules.

    On May 23, 2019, the Department of Health and Human Services Office for Civil Rights (OCR) announced that Medical Informatics Engineering, Inc. (MIE) had agreed to pay $100,000 to OCR and adopt a corrective action plan to settle possible violations of the HIPAA Privacy and Security Rules.

    MIE provides software and electronic medical record services to health care providers. On May 26, 2015, MIE found suspicious activity on one if its servers and upon further examination determined that unauthorized access to its network began on May 7, 2015, leading to hackers accessing electronic PHI (ePHI) of approximately 3.5 million people. Access was based on a compromised user ID and password.

    On July 23, 2015, MIE filed a breach report to OCR and OCR’s investigation determined in part that MIE did not conduct a comprehensive risk analysis, as required by the HIPAA Security Rule, prior to the breach by the hackers. OCR Director Roger Severino stated “[e]ntities with medical records must be on guard against hackers” and “[t]he failure to identify potential risks and vulnerabilities to ePHI opens the door to breaches and violates HIPAA.”

    MIE’s corrective action plan requires MIE in part to develop a complete inventory of all of its facilities, categories of electronic equipment, data system and applications that create, receive, transmit or maintain ePHI and subsequently conduct a risk analysis that evaluates the risks to ePHI on MIE’s inventory.

    Interestingly, the day after OCR’s MIE settlement press release, OCR issued a press release providing that it has issued a new fact sheet to list out all HIPAA provisions through which a business associate can be held directly liable for HIPAA compliance.

    OCR’s press release about this settlement can be found here and OCR’s press release about the new fact sheet for business associates can be found here.

    PrivacyHealth Care And Hipaa

    Subscribe to stay informed of the latest legal news, alerts, and business trends.Subscribe

    • People
    • Capabilities
    • Insights
    • About
    • Locations
    • Events
    • Careers
    • Alumni
    • © 2023 Nixon Peabody. All rights reserved
    • Privacy Policy
    • Terms of Use
    • Statement of Client Rights
    • Supplier Diversity Program
    • Nixon Peabody International LLC
    • PAL