Medical Informatics Engineering, Inc., a medical records service in Indiana, has paid the Office for Civil Rights (OCR) $100,000 to settle a HIPAA breach.
In May, 2019, the OCR reported that Medical Informatics Engineering (MIE) had paid a fine of $100,000 and agreed to take corrective action to settle a HIPAA breach. MIE is a company in Indiana that provides software and electronic medical records services to health care providers.
On June 23, 2015, MIE submitted a breach report to the OCR after the company discovered hackers used a compromised user’s ID and password to access information they shouldn’t have. Approximately 3.5 million people’s electronic protected health information (ePHI) was accessed inappropriately.
How could this breach happen?
After the incident was reported, the OCR investigated the situation and discovered MIE had not conducted a comprehensive risk analysis (assessment). Remember, a risk assessment is required for a company to claim HIPAA compliance. This risk assessment must look at potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.
What does the OCR say about this?
The OCR director, Roger Severino said: “entities entrusted with medical records must be on guard against hackers. The failure to identify potential risks and vulnerabilities to ePHI opens the door to breaches and violates HIPAA.”
Additionally, the $100,000 fine says that the OCR won’t tolerate noncompliance like this.
MIE will now need to conduct a thorough risk assessment. This will need to be done for the whole company, not just one area or department. After the risk assessment is done, MIE will then need to determine if there are any risks or vulnerabilities that can be addressed and create an action plan on how to address all the issues discovered. Then the company will need to start implementing fixes and safeguards according to the plan.
What can we do?
Learn from MIE’s mistake. Join HIPAAgps today and start your risk assessment. You can also find policies and procedures templates and training videos for your officers and employees. We offer a 7-day, Risk-Free trial, so you can see if HIPAAgps is the right fit for you.