It is not possible to prevent all healthcare data breaches, but when a breach is experienced it must be investigated and mitigated promptly. Delaying the breach response and notifications can prove extremely costly, as the Tennessee medical imaging firm Touchstone Medical imaging discovered.
On May 9, 2014, Touchstone Medical Imaging was notified by the FBI that an FTP server had been left unsecured. At the same time, the HHS’ Office for Civil Rights (OCR) was notified about the breach. OCR confirmed on May 12, 2014 that a Google search could provide access to files containing patients protected health information (PHI) without the need for authentication.
In response to the breach and the lack of notification, OCR alerted Touchstone Medical Imaging on August 19, 2014 that it had launched an investigation to assess compliance with HIPAA Rules.
Even though two federal agencies had alerted Touchstone Medical Imaging to the breach, including the main enforcer of compliance with HIPAA Rules, action was not taken to address the breach and notify individuals whose PHI had been exposed. OCR only received its notification on October 10, 2014 and it took 147 days to notify affected patients and the media. Under HIPAA Rules, all three notifications must be issued no later than 60 days after the discovery of a breach.
In addition to those HIPAA violations, the OCR investigation revealed the PHI of more 307,528 individuals had been impermissibly disclosed as a result of the FTP server error. Initially, Touchstone had claimed that no patient data had been exposed.
Touchstone was also found not to have completed a comprehensive risk assessment prior to April 3, 2014, even though this has been a requirement of the HIPAA Security Rule since 2005. The breach was not investigated until September 26, 2014 – More than 4 months after the company was first notified about the breach.
Touchstone was also discovered to have provided access to systems containing patients’ PHI to two business associates without first entering into a business associate agreement (BAA) with those companies. While a signed BAA was obtained from one of those companies on June 2, 2016, a BAA was not obtained from the other company.
The extent of noncompliance, especially after being notified by two federal agencies about the breach, is one of the clearest cases of willful neglect of HIPAA Rules in any enforcement action by OCR. Willful neglect of HIPAA Rules with no effort to correct HIPAA violations within 30 days attracts a penalty in the highest penalty tier. That tier carries a maximum penalty of $1.5 million per year, per violation category.
Touchstone agreed to settle the case with OCR for $3,000,000. The settlement agreement also requires the firm to adopt a robust corrective action plan to address all areas of noncompliance.
This is the second HIPAA compliance penalty to be announced by OCR in 2019. In February, OCR announced that a $3 million settlement had been agreed with Cottage Health to resolve HIPAA violations.
The announcement about the latest settlement comes two weeks after OCR said it would be reducing the financial penalties for HIPAA violations in three of the four penalty tiers. Egregious violations of HIPAA Rules on the other hand, will continue to attract multi-million-dollar penalties.