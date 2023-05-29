On May 16, 2023, the U.S. Department of Health and Human Services (DHHS) through the Office for Civil Rights (OCR) announced a settlement of potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Rules with MedEvolve, Inc. MedEvolve is a business associate that provides practice management, revenue cycle management, and practice analytics software services to covered healthcare entities. The settlement relates to a data breach where a server containing the protected health information of 230,572 individuals was left unsecured and accessible on the internet.

OCR identified a lack of an analysis to determine risks and vulnerabilities to electronically protected health information across the organization and a failure to enter into a business associate agreement with a subcontractor. As part of the settlement, MedEvolve has paid a $350,000 monetary settlement to OCR and entered into a corrective action plan.

As part of the settlement agreement, MedEvolve will be monitored for two years by OCR and will be required to conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic patient data across the organization and develop and implement a risk management plan to address and mitigate any identified security and vulnerabilities risk.

Some of the key takeaways from the OCR publication are the following: OCR investigates every report received of breaches of unsecured protected health information affecting 500 or more individuals; Hacking/IT incidents were the most frequent type of breach that was reported to OCR in 2022 with (79%); HIPAA regulated entities (Covered Entities and Business Associates) have a responsibility to ensure that all protected health information they manage is adequately protected in compliance with HIPAA regulations. The performance of an annual assessment for privacy and security for systems that manage protected health information should be performed to identify risk and vulnerabilities to then properly address and mitigate them.

Find here the link to the publication issued by the OCR: https://www.hhs.gov/about/news/2023/05/16/hhs-office-civil-rights-settles-hipaa-investigation-arkansas-business-associate-medevolve-following-unlawful-disclosure-phi-unsecured-server-350-000.html

