On May 23, 2019, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced that Medical Informatics Engineering, Inc. (MIE) agreed to pay $100,000 to settle alleged HIPAA violations that exposed the protected health information (PHI) of more than 3,500,000 individuals when hackers accessed its servers in an unauthorized manner.
MIE is a HIPAA business associate based in Indiana that provides software and electronic medical record services to health care providers.
According to the OCR press release announcing MIE’s settlement, MIE filed a HIPAA breach report in July, 2015 “following discovery that hackers used a compromised user ID and password to access the electronic protected health information (ePHI) of approximately 3.5 million people.”
In addition to the $100,000 payment, MIE entered into a two-year corrective action plan (CAP) with HHS. As part of the CAP, MIE agreed to:
- Conduct a comprehensive risk analysis of “the potential risks and vulnerabilities to the confidentiality, integrity, and availability” of MIE’s ePHI within 30 days of the effective date of the OCR settlement. OCR specified MIE’s risk analysis shall include an inventory of its facilities and categories of electronic equipment;
- Develop and implement a written risk management plan to address and mitigate security risks and vulnerabilities identified in the risk analysis; and
- Provide annual reports to HHS of its compliance efforts with respect to the CAP.
The MIE settlement highlights the importance of covered entities and business associates conducting thorough risk analyses as required by the Security Rule. MIE is a HIPAA business associate, and so the settlement also serves as a reminder that business associates have direct liability to the government under HIPAA. Hackers are pervasive in the health care delivery system (and across all industries) and MIE’s failure to identify potential risks and vulnerabilities to its ePHI resulted in an expensive settlement for MIE.
