Per the notice below, the United States Office for Civil Rights (OCR) has taken action under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) against a health care clearinghouse for exposing patient data on the Internet.

HHS Office for Civil Rights Settles with Health Care Clearinghouse, Inmediata Health Group, Over HIPAA Impermissible Disclosure

$250,000 settlement resolves longstanding HIPAA Security Rule failures

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a settlement with Inmediata Health Group, LLC (Inmediata), a health care clearinghouse, concerning potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule, following OCR’s receipt of a complaint that HIPAA protected health information was accessible to search engines like Google, on the Internet.

“Health care entities must ensure that they are not leaving patient health information accessible online to anyone with an internet connection,” said OCR Director Melanie Fontes Rainer.  “Effective cybersecurity means being proactive and vigilant in searching for risks and vulnerabilities to health data and preventing unauthorized access to patient health information.”

OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which sets forth the requirements that health plans, health care clearinghouses, and most health care providers, and their business associates must follow to protect the privacy and security of protected health information (PHI).  The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity.  It also requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information (ePHI).  In 2018, OCR received a complaint concerning PHI left unsecured on the Internet.  Following the initiation of OCR’s investigation, Inmediata provided breach notification to HHS, and affected individuals.  OCR’s investigation determined that from May 2016 through January 2019, the PHI of 1,565,338 individuals was made publicly available online.  The PHI disclosed included patient names, dates of birth, home addresses, Social Security numbers, claims information, diagnosis/conditions and other treatment information.  These impermissible disclosures of PHI were potential violations of the HIPAA Privacy Rule.  OCR’s investigation also identified multiple potential HIPAA Security Rule violations including: failures by Inmediata to conduct a compliant risk analysis to determine the potential risks and vulnerabilities to ePHI in its systems; and to monitor and review its health information systems’ activity.  The settlement resolves OCR’s investigation concerning this HIPAA breach.  Under the terms of the settlement, Inmediata paid OCR $250,000.  OCR determined that a corrective action plan was not necessary in this resolution as Inmediata had previously agreed to a settlement with 33 states that includes corrective actions that address OCR’s findings in this matter.  OCR recommends health care providers, health plans, clearinghouses, and business associates that are covered by HIPAA take the following steps to protect ePHI:

• Review all vendor and contractor relationships to ensure business associate agreements are in place as appropriate and address breach/security incident obligations.
• Integrate risk analysis and risk management into business processes; conducted regularly and when new technologies and business operations are planned.
• Ensure audit controls are in place to record and examine information system activity.
• Implement regular review of information system activity.
• Utilize multi-factor authentication to ensure only authorized users are accessing ePHI.
• Encrypt ePHI to guard against unauthorized access to ePHI.
• Incorporate lessons learned from incidents into the overall security management process.
• Provide training specific to organization and job responsibilities and on regular basis; reinforce workforce members’ critical role in protecting privacy and security.

The resolution agreement may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/inmediata-health-group-ra-cap/index.html.  The HHS Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information may be found at: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf.  OCR is committed to enforcing the HIPAA Rules that protect the privacy and security of peoples’ health information.  Guidance about the Privacy Rule, Security Rule, and Breach Notification Rules can also be found on OCR’s website.  If you believe that your or another person’s health information privacy or civil rights have been violated, you can file a complaint with OCR at: https://www.hhs.gov/ocr/complaints/index.html.