The Department of Health and Human Services’ Office for Civil Rights (OCR) has declared a settlement with Touchstone Medical Imaging, a diagnostic medical imaging services firm based in Franklin, TN. The settlement takes care of the HIPAA Rules violations that the OCR discovered while investigating a data breach that occurred in 2014.
Touchstone Medical Imaging agreed to pay $3,000,000 to settle its violations and to follow a corrective action plan (CAP) to deal with its HIPAA compliance concerns. The substantial settlement amount is a reflection of its considerable and long term HIPAA Rules noncompliance. OCR alleged that Touchstone had committed 8 different violations of 10 HIPAA provisions. With the settlement, Touchstone settles the HIPAA case without admitting liability.
On May 9, 2014, the FBI informed Touchstone Medical Imaging regarding the accessibility of its FTP server over the Internet and made possible anonymous links to a shared directory. The protected health information (PHI) of 307,839 {individuals|people} were contained in files stored in the directory.
Because of lapses in access controls, the search engines indexed some files so that the information could be found by the public doing simple online searches. Even after taking the server offline, the patient information was still accessible over the web. The inability to protect the server was viewed as a violation of 45 C.F.R. § 164.312(a)(1).
Touchstone reported the security breach to OCR, but claimed there was no PHI exposure. When OCR investigated the breach, Touchstone confessed the fact that PHI was exposed. The names, addresses, birth dates and Social Security numbers of patients were accessible over the web.
Besides the impermissible disclosure of PHI of 307,839 people, which is a violation of 45 C.F.R. § 164.502(a), OCR found out that until September 26, 2014, there was improper investigation of the security breach, that is, a few months after the FBI notified Touchstone about the breach, and after Touchstone notified OCR. Delaying breach investigations violates 45 C.F.R. §164.308(a)(6)(ii).
The delayed investigation was the reason people did not get the breach notifications until 147 days after the breach was discovered. The notification was received well in excess of the required 60-day Breach Notification rule. The delayed breach notification violated 45 C.F.R. § 164.404. Also, the media notice was issued 147 days after the breach discover, a violation of 45 C.F.R. § 164.406.
Upon OCR’s investigation, it was discovered that Touchstone did not make a comprehensive, organization-wide risk analysis to determine all risks to ePHI confidentiality, integrity, and availability, which violates 45 C.F.R. § 164.308(a)(1)(ii)(A). OCR also discovered two instances of Touchstone’s failure to have a business associate agreement (BAA) with vendors before giving access to systems that contain ePHI. Touchstone used MedIT Associates services without a BAA (violates 45 C.F.R. §§ 164.502(e)(2), 164.504(e) and 164.308(b); and XO Communications without a BAA (violates 45 C.F.R. § 164.308(a)(1)(ii)(A).) Additionally, Touchstone violates 45 C.F.R. § 164.308(b) by continually using XO Communications without a BAA.
This settlement highlights the fact that even though minor HIPAA violations now get lower financial fines, serious violations of HIPAA Rules and failure to take immediate action to resolve violations can still attract substantial financial penalties.