Businesses with access to patient health data risk HIPAA violations that can lead to steep federal and state penalties. Elliot Dinkin, president of Cowden Associates, Inc. notes the importance of protecting medical information in light of recent data breaches and multimillion-dollar fines.
(Pittsburgh, PA) August 13, 2019—The Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) recently announced a settlement imposing $3 million in fines on Touchstone Medical Imaging. A 2014 data breach revealed that the medical office violated numerous HIPAA (Health Insurance Portability and Accountability Act of 1996) policies. The steep penalty was determined by a few main factors, including failure to protect health data from unauthorized access, the initial denial by Touchstone that a problem existed and failure to provide timely notification of the breach to affected individuals.1
“This and other recent sanctions make it clear that the OCR is serious about penalizing HIPAA violations,” said Elliot Dinkin, a nationally known expert in actuarial, compensation and employee benefits issues. “Businesses providing support services to healthcare providers need to be aware of their exposure to this risk, and to make certain they have the proper agreements in place with any subcontractors they may employ in providing these services.”
The government’s multimillion-dollar settlement with Touchstone Medical Imaging was not an isolated incident. Two weeks after the case was resolved, OCR announced the $100,000 settlement of another HIPAA violations act against Medical Informatics Engineering, Inc. (MEI). In this case, the data breach took place at MEI’s subsidiary NoMoreClipboards, where hackers were able to gain access to the protected health information of 3.5 million individuals. Along with the financial penalty, MEI agreed to conduct an organization-wide program to identify data risks and reduce them to a “reasonable and acceptable” level.2
In addition to the sanctions levied by OCR, the attorneys general of 18 states brought a multi-state action stemming from the same data breach, resulting in an additional $900,000 penalty levied against MEI.3
“Given the recent tendency on the part of HHS toward active enforcement, we strongly urge business associates and covered entities to review their current agreements with an expert in the field to make certain they are in compliance with HIPAA,” Dinkin said.
While the HIPAA Privacy Rule, issued by HHS in 2001 applies only to certain organizations—health plans, healthcare clearinghouses and some healthcare providers—the law recognizes that many entities do not carry out all healthcare activities themselves. Thus, they are authorized to share protected health information (PHI) with third-party claims processors, CPA firms, attorneys, consultants, independent medical transcriptionists, pharmacy benefits managers and other organizations that will be accessing protected medical records2.When business associates receive protected health information, they become liable for the unauthorized disclosure of that information.4
“If a covered entity uses a business associate, there must be a written contract, called a business associate agreement, that requires the business associate to comply with certain requirements under the HIPAA rules,” he concluded.
About Cowden Associates:
Cowden Associates, Inc., headquartered in Pittsburgh, Penn., was created in 2001 by the merger of Halliwell and Associates and MMC&P Spectrum Benefits, which was founded by Jere Cowden in 1986. Currently led by President & CEO Elliot Dinkin, Cowden Associates specializes in helping corporate clients find the best solutions, both for the enterprise and for its employees, with regard to compensation, healthcare benefits, retirement and pension issues, and Taft-Hartley fund consulting. Winning Workplaces and The Wall Street Journal have recognized Cowden Associates as a “Top Small Workplace,” a lifetime designation awarded to executives for their ability to build and lead savvy organizations. For more information, visit www.cowdenassociates.com
“Touchstone Medical Imaging Fined $3 Million by OCR for Extensive HIPAA Failures,” HIPAA Journal, May 6, 2019.
“MEI Settles HIPAA Breach Case for $100,000,” HIPAA Journal, May 24, 2019.
“Multi-State Action Results in $900,000 Financial Penalty for Medical Informatics Engineering,” HIPAA Journal, May 28, 2019.
“New HHS Fact Sheet on Direct Liability of Business Associates under HIPAA,” U.S. Department of Health and Human Services, April 3, 2003.
# # #
Karla Jo Helms
888-202-4614 ext. 802