Topics
Reimbursement
Healthcare groups prod Congress to stop CMS' payment cuts
Healthcare groups prod Congress to stop CMS' payment cuts
Revenue Cycle Management
The transactional revenue cycle no longer works: Here's what does
The transactional revenue cycle no longer works: Here's what does
Strategic Planning
Q&A with Geisinger CEO and president Dr. Jaewon Ryu, who will be CEO of the new Risant Health
Q&A with Geisinger CEO and president Dr. Jaewon Ryu
Capital Finance
Cash shortages plague hospitals but there are signs of improvement ahead
Cash shortages plague hospitals
Supply Chain
HIMSSCast: Embrace technology to replace the mundane tasks
HIMSSCast: Embrace technology to replace the mundane tasks
Accounting & Financial Management
Optum growth fuels strong quarter for UnitedHealth Group
Optum growth fuels strong quarter for UnitedHealth Group
Budgeting
Insurers likely to pay $1.1 billion in rebates this fall
Insurers likely to pay $1.1 billion in rebates this fall
Quality and Safety
U.S. News revises 'Best Hospitals' methodology in wake of backlash
U.S. News revises 'Best Hospitals' methodology in wake of backlash
Billing and Collections
Paying for healthcare creates mental and financial health concerns
Paying for care creates mental, financial concerns
Claims Processing
94% of physicians report care delays due to prior authorization, AMA says
94% of physicians report care delays due to prior authorization, AMA says
Workforce
AMA pushes to end noncompete clauses in physician contracts
AMA pushes to end noncompete clauses
Operations
Sola launches in growing employer self-funded health plan market
Sola launches in growing self-funded health plan market
Medical Devices
Humana teams with durable medical equipment organizations on home care
Humana teams with DME orgs on home care
Hospital/physician relations
Physicians would rather leave than work for Envision, doctor says
Physicians would rather leave than work for Envision, doctor says
Construction & Facilities Management
Providence announces $712 million expansion in southern California 
Providence announces $712M expansion in southern California 
Compliance & Legal
Florida men plead guilty to $67 million Medicare fraud scheme
Florida men plead guilty to $67 million Medicare fraud scheme
Policy and Legislation
CMS expanding Medicare Diabetes Prevention Program
CMS expanding Medicare Diabetes Prevention Program
Community Benefit
AMA and others launch collective call for health equity in Rise to Health
AMA and others launch collective call for health equity
Accountable Care
CMS is testing new primary care model
CMS is testing new primary care model
Acute Care
A cyberattack is partly to blame for St. Margaret's Health closing all operations
A cyberattack is partly to blame for St. Margaret's Health closing all operations
Ambulatory Care
Hospitals face direct competition from the 'retailization' of healthcare
Hospitals face direct competition from the 'retailization' of healthcare
Analytics
Top Stories: Patient information exposed in PharMerica breach
Top Stories: Patient information exposed in PharMerica breach
Business Intelligence
Healthcare job cuts increase 97% from 2022
Healthcare job cuts increase 97% from 2022
ICD-10 & Coding
Physician practices examine risk adjustment coding in wake of federal lawsuits
Practices keeping close watch on risk adjustment coding
Meaningful Use
CMS overhauls meaningful use EHR program, renames it 'Promoting Interoperability'
CMS overhauls meaningful use as 'Promoting Interoperability'
Medicare & Medicaid
Significant differences uncovered between MA, FFS enrollees
Significant differences uncovered between MA, FFS enrollees
Patient Engagement
Commercial health plan member satisfaction declining in key areas
Commercial health plan member satisfaction declining
Pharmacy
Pharmacy leaders meet with White House on Medicare prescription drug benefits
Pharmacy leaders meet with White House on Rx drug benefits
Population Health
One in four skip wellness appointments, regular checkups
One in four adults skip wellness appointments, regular checkups
Risk Management
UPMC for You partners to offer Medicaid redetermination coverage in laundromats
UPMC for You offers Medicaid redetermination coverage in laundromats
Telehealth
Telehealth linked to fewer in-person follow-up visits
Telehealth linked to fewer in-person follow-up visits
Mergers & Acquisitions
M&A activity returning to pre-pandemic levels
M&A activity returning to pre-pandemic levels
View more
May 17 More on Compliance & Legal

OCR settles HIPAA investigation into protected health information at MedEvolve

A data breach left the protected health information of 230,572 people exposed, leading to a monetary fine and mandatory oversight.

Jeff Lagasse, Associate Editor

Photo: Al David Sacks/Getty Images

The U.S. Department of Health and Human Services' Office for Civil Rights has settled with MedEvolve for $350,000 over potential HIPAA violations regarding a data breach in which a server containing protected health information was left unsecure and accessible over the internet.

MedEvolve provides practice management, revenue cycle management and practice analytics software services to covered healthcare entities. OCR's investigation found that a 2018 data breach left the protected health information of 230,572 people exposed – a potential HIPAA violation. The HIPAA Privacy, Security, and Breach Notification Rules apply to most healthcare breaches and set the requirements that HIPAA-regulated entities must follow to protect the privacy and security of health information.

The potential violations in this case include the lack of an analysis to determine risks and vulnerabilities to electronic protected health information across the organization and the failure to enter into a business associate agreement with a subcontractor, said OCR.

The HIPAA Rules require that covered entities and business associates – a person or entity that has access to protected health information as part of their relationship with a covered entity – enter into contracts that generally document the permissible uses and disclosures of protected health information, and ensure appropriate safeguards will be implemented, and that the covered entity will be notified of any breaches.

In addition to the monetary settlement, MedEvolve agreed to implement a corrective action plan to better shore up its data security.

WHAT'S THE IMPACT

The investigation was initiated in July 2018, following a breach notification report stating that a server containing electronic protected health information was openly accessible to the internet. The information included patient names, billing addresses, telephone numbers, primary health insurer and doctor's office account numbers, and in some cases Social Security numbers.

OCR investigates such breaches if they involve the protected health information of 500 people or more. Hacking/IT incidents was the most frequent (79%) type of large breach that was reported to OCR in 2022. Network servers are the largest category by location for these breaches.

THE LARGER TREND

As part of the settlement, MedEvolve will be monitored for two years to ensure HIPAA compliance. 

The organization has also agreed to take a number of steps, including conducting a risk analysis and developing a risk management plan to identify security risks.

MedEvolve will also maintain and revise its written policies and procedures, augment its existing HIPAA and Security Training Program for all MedEvolve workforce members who have access to protected health information, and report to HHS within 60 days days when workforce members fail to comply with the written policies and HIPAA rules.

ON THE RECORD

"Ensuring that security measures are in place to protect electronic protected health information where it is stored is an integral part of cybersecurity and the protection of patient privacy," said OCR Director Melanie Fontes Rainer. "HIPAA regulated entities must ensure that they are not leaving patient health information unsecured on network servers available to the public via the internet."
 

Twitter: @JELagasse
Email the writer: Jeff.Lagasse@himssmedia.com

News
Healthcare organizations ask HHS to delay quality measure reporting for ACOs Healthcare organizations ask HHS to delay quality measure reporting for ACOs The American Hospital Association and American Medical Association are among the 11 organizations signing the letter.