Getty Images

HHS Settles HIPAA Investigation With Healthcare Business Associate

Healthcare business associate iHealth Solutions paid $75,000 to OCR to resolve potential HIPAA violations.

The HHS Office for Civil Rights (OCR) settled a HIPAA investigation involving iHealth Solutions (also known as Advantum Health), a healthcare business associate that provides coding, billing, and IT services to providers.

OCR launched an investigation into iHealth Solutions in August 2017, following a data breach that the company suffered involving the unauthorized transfer of protected health information (PHI) from an unsecured server.

The compromised information included patient names, addresses, treatment information, diagnoses, medical procedures, medical histories, email addresses, and Social Security numbers pertaining to 267 individuals.

“In addition to the impermissible disclosure of protected health information, OCR’s investigation found evidence of the potential failure by iHealth Solutions to have in place an analysis to determine risks and vulnerabilities to electronic protected health information across the organization,” OCR stated.

iHealth was required to pay $75,000 to OCR and implement a corrective action plan to resolve potential HIPAA Privacy and Security Rule violations.

Specifically, the company will have to conduct a thorough risk analysis of its organization to identify vulnerabilities, develop a risk management plan, and implement operational changes to ensure that PHI remains secure.

“HIPAA business associates must protect the privacy and security of the health information they are entrusted with by HIPAA covered entities,” said OCR Director Melanie Fontes Rainer. “Effective cybersecurity includes ensuring that electronic protected health information is secure, and not accessible to just anyone with an internet connection.”

Other recent HHS OCR settlements include an EHR snooping case at Yakima Valley Memorial Hospital and a potential HIPAA violation by a New Jersey-based psychiatry provider, Manasa Health Center. In the former case, 23 security guards at Yakima Valley Memorial Hospital were allegedly using their credentials to access patient medical records. The hospital agreed to pay $240,000 to resolve the case.

In the latter settlement, a Manasa Health Center faced an OCR investigation after it improperly disclosed the PHI of a patient in response to a negative online review. OCR’s recent actions underscored its commitment to investigating and enforcing potential HIPAA violations.

Next Steps

Dig Deeper on HIPAA compliance and regulation