The Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services disclosed a settlement concerning potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Rules. The settlement was with MedEvolve, Inc., a business associate offering practice management, revenue cycle management, and practice analytics software services to health care entities. This settlement brings an end to the OCR’s probe into a data breach incident where a server containing the protected health information of 230,572 individuals was left vulnerable and accessible on the internet.

The potential HIPAA violations included the absence of an analysis to identify risks and vulnerabilities to electronic protected health information throughout the organization, and the failure to establish a business associate agreement with a subcontractor. 

These agreements typically outline the permissible uses and disclosures of protected health information, implementation of appropriate safeguards, and the procedure for notifying the covered entity of any breaches. As a part of the settlement, MedEvolve paid a $350,000 monetary settlement to the OCR and consented to implement a corrective action plan to address these potential violations and enhance the security of electronic patient health information.

OCR Director, Melanie Fontes Rainer, emphasized the importance of securing electronic protected health information, stating, “Ensuring that security measures are in place to protect electronic protected health information where it is stored is an integral part of cybersecurity and the protection of patient privacy.”

The investigation into MedEvolve began in July 2018 after a breach notification report highlighted that an FTP server containing electronic protected health information was openly accessible on the internet. The exposed information included patient names, billing addresses, telephone numbers, primary health insurer and doctor’s office account numbers, and in some instances, Social Security numbers. 

The OCR investigates every report of breaches affecting 500 or more people. In 2022, the most common type of large breach reported to the OCR was hacking/IT incidents, accounting for 79% of cases. It’s therefore essential for HIPAA-covered entities and their business associates to ramp up their efforts to identify and tackle cybersecurity threats.

Under the settlement agreement, MedEvolve will be under OCR’s scrutiny for two years to ensure compliance with the HIPAA Security Rule. They have agreed to take measures such as conducting a comprehensive risk analysis, developing a risk management plan, revising policies and procedures as necessary, enhancing their HIPAA and Security Training Program, and reporting non-compliance within their workforce to the HHS within sixty days.

In today’s world where data breaches are increasingly common, Abyde takes a proactive stance in ensuring that healthcare providers maintain the highest standards of compliance. Our comprehensive software solution is designed to alleviate the burden of HIPAA compliance for healthcare professionals, and mitigate the risk of a costly incident like MedEvolve’s.