The Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) has announced a settlement with a business associate that provides wellness plans to various clients nationwide.
OCR had been investigating the business associate for violating HIPAA's security rule after filing four breach reports within three months stating that electronic protected health information (ePHI) was discoverable online. Web crawlers, or automated search devices, gained access to the ePHI due to a software misconfiguration on the ePHI server. The data breach affected 4,304 individuals.
As a result of its investigation, OCR found that the business associate had failed to fully assess "potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI."
The resolution agreement requires the business associate to pay $227,816 and follow a two-year corrective action plan (CAP). Under the CAP, the business associate must develop and submit the following:
- An annually updated risk analysis;
- A risk management plan;
- A process for evaluating environmental and operational changes; and
- Written policies and procedures to address vulnerabilities identified in the risk analysis.
The recent settlement is an enforcement action in OCR's Risk Analysis Initiative, which is designed to emphasize the need for covered entities and business associates to prioritize the HIPAA security rule's risk analysis requirement. This settlement is a reminder that covered entities must always investigate and evaluate potential business associates to ensure they have a regularly reviewed and maintained HIPAA-complaint risk analysis.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
