The Department of Health and Human Services’ Office for Civil Rights has announced a settlement has been reached with Indiana-based electronic medical record software and service provider Medical Informatics Engineering to resolve HIPAA violations discovered during the investigation of a 2015 data breach.

The settlement agreement requires Medical Informatics Engineering to pay a financial penalty of $100,000 and adopt a corrective action plan (CAP). The CAP requires MIE to conduct an organization-wide risk analysis to identify all risks to the confidentiality, integrity, and availability of protected health information (PHI). A risk management plan must also be developed and implemented and all identified risks must be reduced to a reasonable and acceptable level.

The breach in question occurred in May 2015 when hackers gained access to one of its servers for a period of 19 days. The hackers used a compromised username and password to gain access to the server, which contained the PHI of patients of 239 of its NoMoreClipboard clients. In total, the PHI of 3.5 million individuals was compromised.

OCR launched an investigation to determine if the breach could have been avoided and whether violations of HIPAA Rules played a part in the security breach. OCR investigators discovered a comprehensive, organization-wide risk analysis had not been conducted in violation of 45 C.F.R. § 164.308(a)(l)(ii)(A) of the HIPAA Security Rule. That failure contributed to the impermissible disclosure of 3.5 million patients’ PHI.

“Entities entrusted with medical records must be on guard against hackers,” said OCR Director Roger Severino. “The failure to identify potential risks and vulnerabilities to ePHI opens the door to breaches and violates HIPAA.”

The risk analysis is one of the most important requirements of the HIPAA Security Rule, yet it is one of the most common areas of non-compliance. If a risk analysis is not conducted, it is probable that risks will be allowed to persist which could result in an impermissible disclosure of PHI. Risk analysis failures were discovered during both phases of OCR’s HIPAA compliance audits and it is the most common violation cited in HIPAA settlements and civil monetary penalties.

This is the second HIPAA violation penalty to be issued by OCR in 2019. Also in May, OCR announced that a settlement had been reached with Touchstone Medical Imaging to resolve multiple violations of HIPAA Rules.