The Department associated with Health and Human Services’ (HHS) Workplace for Civil Rights (OCR) provides announced a settlement with Touchstone Healthcare Imaging (“Touchstone”) for their potential infractions of HIPAA Security and Infringement Notification Rules. Touchstone has decided to pay $3, 000, 000 plus adopt a corrective action plan.
Touchstone is a diagnostic healthcare imaging services company based in Franklin, Tennessee, and provides services in Nebraska, Texas, Colorado, Florida, and Illinois.
In May 2014, Touchstone was informed by the F and OCR that one of its FILE TRANSFER PROTOCOL servers was giving uncontrolled, illegal access to protected health information (PHI). This particular uncontrolled access allowed files to become indexed by search engines, meaning a good unauthorized individual could access another’s PHI simply by performing an Internet lookup.
Initially, Touchstone stated that there was no PHI orient by the uncontrolled server. The story transformed during OCR’s investigation, when Touchstone ultimately admitted that the PHI associated with over 300, 000 patients is at fact, exposed. The information involved in the publicity includes names, birth dates, interpersonal security numbers, and addresses.
Even after the notice had been issued to Touchstone and the machine was taken offline, PHI continued to be visible on the Internet.
OCR found that Touchstone is at violation of multiple HIPAA guidelines. Following the breach notice issued by FBI and OCR, Touchstone failed to conduct a thorough investigation of the infringement for several months. Not only did the particular delayed investigation of the breach break HIPAA, but also resulted in delayed infringement notifications for the affected individuals as well as a postpone in notifying the media – both additional HIPAA violations.
Further investigation revealed that will Touchstone had also failed to carry out an accurate and thorough risk evaluation of its organization, a critical component inside identifying potential risks to the privacy, integrity, and availability of electronic PHI (ePHI) – and the violations do not stop there.
OCR identified two situations where Touchstone failed to have Business Associate Contracts in place with their vendors – which includes their IT support and a third-party data center, another HIPAA infringement.
The arrangement of $3 million dollars is not the only action that needs to be taken by Touchstone. In addition to the monetary settlement, a robust further action plan must be adopted to address their particular HIPAA compliance deficiencies, including undertaking business associate agreements, completing a good enterprise-wide risk analysis, and implementing HIPAA policies and procedures.
Although the number of HIPAA infractions associated with this breach is intensive, all serve as an important reminder from the requirements under HIPAA that can not be ignored. Performing a risk evaluation, having Business Associate Agreements in position for the entire duration of a vendor agreement, implementing and enforcing policies plus procedures, ensuring technical safeguards have been in place, and training employees upon HIPAA and security awareness are simply a few key pieces of HIPAA conformity that should be addressed and evaluated regularly.
In addition , this situation highlights the necessity of taking quick action following a breach. Had Touchstone started their corrective action initiatives immediately following their notification from the F and OCR, several violations might have been avoided – the violations related to delayed breach notifications specifically.