HHS has introduced a decision settlement with a enterprise affiliate that had contracts with two lined well being care entities to deal with and shield particular person digital protected well being data (ePHI) containing delicate data akin to affected person names, billing addresses, phone numbers, main well being insurers, and social safety numbers. After receiving a breach notification report alleging {that a} File Switch Protocol server containing ePHI was brazenly accessible to the general public on the web, HHS commenced an investigation. The investigation indicated that the enterprise affiliate disclosed greater than 230,000 people’ ePHI, didn’t enter right into a enterprise affiliate settlement with a subcontractor, and didn’t conduct a safety danger evaluation or implement a administration plan to find out and handle vulnerabilities of ePHI throughout the group. The HHS press launch underscored that the Workplace of Civil Rights (OCR) investigates all breach studies of unsecured PHI affecting 500 or extra folks, that hacking/IT incidents have been essentially the most frequent sort of huge breach reported in 2022, and that community servers are the most important class of breaches involving greater than 500 people.

The decision settlement requires a $350,000 settlement fee and compliance with a two-year corrective motion plan (CAP). Beneath the CAP, the enterprise affiliate should, amongst different issues, submit the next for HHS’s overview and approval to make sure compliance with HIPAA: (1) a complete danger evaluation and danger administration plan; (2) insurance policies and procedures which can be distributed to all members of the workforce; and (3) a privateness and safety coaching program for workforce members which have entry to PHI. The enterprise affiliate should additionally examine failures to adjust to insurance policies and procedures and report any materials failure to HHS.

EBIA Remark: This decision settlement reminds well being plans of the significance of performing prudently as HIPAA lined entities, and periodically revisiting their danger evaluation, danger administration plan, enterprise affiliate agreements, insurance policies and procedures, and coaching. Certainly, the HHS press launch cautions HIPAA lined entities and their enterprise associates to “enhance their efforts” to establish, deter, shield in opposition to, detect, and reply to cybersecurity threats and malicious actors. The enterprise affiliate on this scenario may need been capable of keep away from the HIPAA breach and audit if it had a danger evaluation and administration plan, insurance policies and procedures, and coaching. Moreover, it’s prudent apply for well being plans that entrust members’ ePHI to different entities to observe these entities and guarantee compliance via getting into into enterprise affiliate agreements and conducting common safety audits. For extra data, see EBIA’s HIPAA Portability, Privateness & Safety guide at Sections XX.D (“Decision Agreements”), XXIII.F (“Making use of the HIPAA Privateness and Safety Guidelines to Group Well being Plans and Their Sponsors”), XXIV.F (“HIPAA Audits”), XXV.H (“Breach Planning and Response”), XXX.F (“Insurance policies and Procedures, Documentation Necessities”), and XXXI.E (“Issues Regarding HIPAA Safety”).

Contributing Editors: EBIA Workers.