Healthcare Compliance Perspective:
When a potential breach of Protected Health Information is discovered, healthcare providers must immediately investigate and, among other requirements, notify the affected individuals in writing, develop a plan of correction and monitor for any further breaches.
This payment will be made instead of paying possible civil money penalties for failing to protect millions of individuals’ protected health information (PHI) covered by the Health Insurance Portability and Accountability Act (HIPAA).
The FBI notified the company two different times in 2015 that their patient files had been illegally accessed by a third party who retrieved the names, social security numbers, physicians’ names, diagnoses, treatment and insurance information of more than 2.2 million patients. The OCR’s investigation later indicated that the company did not follow-up on the FBI notifications with a thorough, accurate evaluation of the effects of the breach, nor did the company implement reasonable security measures to reduce the risks and vulnerabilities of their patients’ electronic protected health information (ePHI) to an acceptable level. The company also failed to put into place regular, periodic reviews of their systems’ information activity through “audit logs, access reports and security incident tracking reports.” The company also gave their patients’ protected health information (PHI) to unauthorized “third party vendors.”
Along with the $2.3 million settlement, the company is required to provide a “risk analysis and risk management plan, revise policies and procedures, educate its workforce on policies and procedures, provide all maintained business associate agreements to OCR and submit an internal monitoring plan.”
The healthcare provider filed for Chapter 11 bankruptcy protection in May 2017, and the settlement with OCR was approved by the Bankruptcy Court in December 2017.