The EHR developer violated a HIPAA requirement by failing to conduct a comprehensive risk analysis.
Photo/Thumb have been modified. Courtesy of Blogtrepreneur flickr.
Medical Informatics Engineering, a health information technology (IT) software and electronic health record developer, paid $100,000 to settle a Health Insurance Portability and Accountability Act (HIPAA) violation connected to a data breach, according to the U.S. Department of Health and Human Services (HHS).
In 2015, Medical Informatics Engineering filed a data breach report with the Office for Civil Rights (OCR) after discovering that hackers used a compromised user identification and password to access the electronic protected health information of approximately 3.5 million patients.
An investigation revealed that the company didn’t conduct a comprehensive risk analysis to assess the potential risks and vulnerabilities to the confidentiality, integrity and availability of an entity’s electronic protected health information prior to the breach. That activity is a HIPAA requirement.
“Entities entrusted with medical records must be on guard against hackers,” said OCR Director Roger Severino. “The failure to identify potential risks and vulnerabilities to (electronic protected health information) opens the door to breaches and violates HIPAA.”
The hackers might have obtained names, addresses, dates of birth, Social Security numbers, email addresses, clinical information and health insurance information.
Medical Informatics Engineering agreed to take corrective actions to comply with HIPAA rules, including a complete, enterprise-wide risk analysis.
The risk analysis will evaluate the dangers to electronic protected health information stored in electronic equipment, data systems and applications controlled, administered or owned by the company.
The company will need to complete inventory of all of its facilities and categories of equipment and software prior to the risk analysis.
Medical Informatics Engineering will need to develop and implement a risk management plan to address and mitigate the risks and vulnerabilities identified by the risk analysis. The plan must include a process and timeline for the company’s implementation, evaluation and revision of risk remediation activities.
Get the best insights in digital health directly to your inbox.
Stakeholders Must Be Proactive About Cybersecurity
How HHS Is Addressing Cybersecurity Threats