On May 16, 2023, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced a settlement with a software company for alleged noncompliance with HIPAA regulations. MedEvolve, Inc. is a HIPAA business associate to healthcare organizations and provides practice management, revenue cycle management, and practice analytics software services. Pursuant to its settlement with OCR, MedEvolve agreed to pay $350,000 and enter into a two-year corrective action plan.
In July 2018, OCR received a breach notification report that triggered a HIPAA compliance investigation of MedEvolve. The breach notification report stated that a File Transfer Protocol (FTP) server containing the protected health information (PHI) of 230,572 individuals had been openly accessible on the internet since January 1, 2018. The information on the FTP server included names, billing addresses, telephone numbers, primary health insurer, and doctor’s office account numbers, and in some cases Social Security numbers for patients of two of MedEvolve’s covered entity clients. OCR noted in the resolution agreement that it has evidence that at least one unauthorized individual viewed PHI for patients of each covered entity while the FTP server was unsecured.
The $350,000 settlement serves as a reminder that HIPAA compliance is not only important for covered entities, but for business associates as well. During its investigation, OCR determined that MedEvolve failed to enter into a business associate agreement with a subcontractor. Healthcare vendors regulated under HIPAA need to ensure that they are not only executing business associate agreements with their covered entity clients, but also with any of the vendor’s subcontractors if the arrangement involves access to, or the use or disclosure of, PHI.
OCR also found that MedEvolve did not conduct a “sufficiently accurate or thorough” risk analysis. While the lack of an enterprise-wide risk analysis is a common element of HIPAA noncompliance, it is also a key enforcement point for OCR. Covered entities, business associates, and subcontractor business associates who have not yet conducted a risk analysis, or whose existing analysis is not broad enough to assess all of the risks and vulnerabilities to electronic PHI held by the organization, should take steps to conduct a thorough and complete risk analysis. In addition to the monetary settlement, MedEvolve’s corrective action plan requires the entity to conduct a risk analysis to determine risks and vulnerabilities to electronic PHI and develop a risk management plan to address and mitigate identified risks. It also requires MedEvolve to augment its existing HIPAA training, among other requirements.