June 28, 2023
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has decided to celebrate the 4th of July a bit differently this year. No, they’re not hosting a BBQ or a picnic. Instead, they’ve resolved a blazing inquiry with iHealth Solutions, a Kentucky-based firm providing a whole array of IT services to healthcare providers, including coding, billing, and onsite IT support.
Like leaving the fireworks out in the rain before the big show, iHealth Solutions committed a significant faux pas by allowing the protected health information of 267 people to be as unguarded as a picnic basket at a bear convention.
“HIPAA business associates must protect the privacy and security of the health information they are entrusted with by HIPAA-covered entities,” said OCR Director Melanie Fontes Rainer. “Effective cybersecurity includes ensuring that electronic protected health information is secure, and not accessible to just anyone with an internet connection.”
In 2017, the sparklers were lit when a report emerged stating that iHealth Solutions had experienced an unauthorized transfer of protected health information from its unsecured server. This information wasn’t just your average email addresses and phone numbers – the information included confidential information, including patient names, birth dates, Social Security numbers, diagnoses, treatment information, and medical histories.
The investigation detected a potential failure on iHealth Solution’s part to adequately assess risks and vulnerabilities to electronically protected health information across the organization.
So, what’s the big *BANG* at the end of this fuse? A pretty hefty $75,000 civil monetary penalty, paid to OCR by iHealth Solutions. The company also agreed to a corrective action plan which includes several measures to ensure the protection of electronic protected health information.
These steps include conducting a thorough analysis to identify risks and vulnerabilities, implementing a risk management plan, evaluating changes that affect the security of information, and revising HIPAA policies and procedures as required. As a finale, iHealth will be under the watchful eye of OCR for two years, ensuring its compliance with the HIPAA Security Rule.
Abyde helps organizations avoid catastrophes precisely like this one. Abyde is like the super-organized neighbor who prepares for the 4th of July celebrations months in advance, ensuring everyone’s safety and enjoyment. They’re not in the business of barbecues and fireworks but rather in making HIPAA compliance as smooth and worry-free as a classic American apple pie.
So, as we celebrate our independence this July 4, let’s remember that freedom should never come at the expense of our security, especially when it involves our personal health information. Here’s hoping your barbecues are hot, your fireworks are safe, and your servers are secure!