A newly announced Department of Health and Human Services Office of Civil Rights (“OCR”) Health Insurance Portability and Accountability Act (“HIPAA”) settlement agreement with a medical practice manager business associate highlights the need for health plans and other HIPAA covered entities ensure servers are properly secured and that that they and every third party administrator, technology, audit, accounting and other plan service provider with access to protected health information (“business associate”) can prove all necessary business associate agreements,m security safeguards and other policies and practices are in place in the event of a HIPAA breach, audit or other compliance event.

The latest warning comes from OCR’s May 16, 2023 announcement that medical practice manager MedEvolve, Inc. (“MedEvolve”) paid OCR $350,000 and committed to a corrective action plan under a resolution agreement reached to settle OCR charges that MedEvolve violated HIPAA by failing to properly secure servers containing its covered entity clients’ PHI, not obtaining required business associate agreements with business associate subcontractors, and violating other HIPAA requirements.  Like many service providers to medical practices, health plans or other HIPAA covered entities, MedEvolve was subject to HIPAA’s Privacy, Security, Breach Notification and business associate agreement requirements due to its access, possession, use, protection, and disclosure of PHI in the course of servicing its covered entity customers.

HIPAA Privacy, Security and Breach Rules Generally

HIPAA generally requires health care providers, health plans and insurers, health care clearinghouses (“covered entities”) and business associates to maintain the privacy and security of PHI as required by HIPAA.  In addition, HIPAA’s Security Rule requires covered entities and their business associates to conduct risk assessments and implement and administer appropriate safeguards and procedures to protect electronic PHI from improper use, access, disclosure or destruction and in the event of a breach, to provide notification and take other action required by HIPAA’s Breach Notification Rule.  HIPAA’s business associate rules also require both covered entities and their business associates to enter into business associate agreements that document the business associate’s commitment to adhere to HIPAA’s Privacy, Security and Breach Notification Rules before a business associate accesses PHI. 

Violators of these and other HIPAA Privacy, Security and Data Breach rules risk substantial civil monetary penalties assessed based of the culpability of the violation and adjusted annually for inflation. Based on the most recent annual inflation adjustments made in 2022, the current indexed penalty amounts as of May 24, 2023 for each violation of a HIPAA are follows:

• Tier 1—lack of knowledge: The minimum penalty is $127; the maximum penalty is $63,973; and the calendar-year cap is $1,919,173.
• Tier 2—reasonable cause and not willful neglect: The minimum penalty is $1,280; the maximum penalty is $63,973; and the calendar-year cap is $1,919,173.
• Tier 3—willful neglect, corrected within 30 days: The minimum penalty is $12,794; the maximum penalty is $63,973; and the calendar-year cap is $1,919,173.
• Tier 4—willful neglect, not corrected within 30 days: The minimum penalty is $63,973; the maximum penalty is $1,919,173  and the calendar-year cap is $1,919,173.

These amounts almost certainly will increase further when 2023 inflation adjustments are published.

While OCR can impose these significant civil monetary penalties for HIPAA violations, most violations are resolved outside the cumbersome and costly civil monetary penalty process.  Under HIPAA, OCR possesses the authority to negotiate resolution agreements with covered entities and business associates that allow covered entities and business associates OCR accuses of violating the HIPAA Privacy, Security or Breach Notification Rules to settle HIPAA charges without the assessment of authorized civil monetary penalties. The vast majority of HIPAA violations found by OCR are resolved through the resolution agreement process since the OCR typically sets the required settlement payment amount below the maximum civil monetary penalty amount and the accused party avoids the cost and disruption of the civil monetary process.  The newly announced MedEvolve settlement is the latest resolution of HIPAA violation charges announced by OCR

$350,000 MedEvolve Resolution Agreement Highlights Server and Service Provider Risk

The HIPAA charges against MedEvolve arose from deficiencies in MedEvolve’s implementation of its responsibilities to secure data, obtain business associate agreements with any subcontractors given access to client PHI, and other HIPAA obligations assumed under its business associate agreements with its customers. While MedEvolve’s customers generally were medical practices or other health care providers, self-insured health plans, health insurers and health plan service providers subject to HIPAA as covered entities and business associates often also rely upon third-party systems or services that involve sharing of health plan PHI with or rely upon third party provided servers, technology or other resources to collect and administer health plan data and administer health plan functions.

The OCR investigation of MedEvolve began in response to a series of breach notifications filed by MedEvolve with OCR.  As a provider of practice management, revenue cycle management, and practice analytics software services to medical practices, MedEvolve was a business associate responsible for the collection and administration of PHI for the health care providers it served. 

OCR’s investigation began after MedEvolve notified OCR of a breach of PHI’s on its server through an initial Breach Notification Report filed on July 10, 2018, which it supplemented by addendums filed on July 30, 2018 and August 12, 2020 (the “Reports”). According to the Reports, MedEvolve discovered on May 4, 2018 that a File Transfer Protocol (FTP) server containing PHI had been unsecure and accessible on the internet since January 1, 2018. The breach affected the PHI of a total of 230,572 individuals at two covered entities for which MedEvolve provided software and revenue cycle management services: Premier Immediate Medical Care, LLC (204,607 individuals affected) and the office of Dr. Beverly Held (25,965 individuals affected). The breached information included patient names, billing addresses, telephone numbers, primary health insurer and doctor’s office account numbers, and in some cases Social Security numbers. The OCR investigation uncovered evidence that PHI for both covered entities was viewed by at least one unauthorized individual while the FTP server was open to the public.

Based on its investigation, OCR concluded that MedEvolve violated HIPAA by:

• Allowing the disclosure of PHI of 230,572 individuals;
• Failing to enter into a business associate agreement with a subcontractor;
• Failing to conduct a sufficiently accurate or thorough risk assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by it as a business associate was not sufficiently accurate or thorough.

To avoid the potentially much more significant civil monetary penalties that HIPAA authorizes OCR to impose for such breaches, MedEvolve entered into a resolution agreement with OCR that required MedEvolve to pay OCR $350,000 payment and take a series of corrective actions specified in the corrective action plan included in the resolution agreement.  To benefit from the resolution agreement, the resolution agreement requires MedEvolve to fully implement and adhere to all requirements of the corrective action plan including:

• Conducting and preparing a report satisfactory to OCR of its complete risk assessment within 30 days and annually thereafter of the security risks and vulnerabilities of all electronic equipment, data systems, programs and applications controlled, administered, owned, or shared by MedEvolve or its affiliates that are owned, controlled or managed by MedEvolve that contain, store, transmit or receive MedEvolve ePHI;
• Developing and implementing to the satisfaction of OCR an enterprise-wide risk management plan to address and mitigate any security risks and vulnerabilities identified in the risk analysis which includes a process and timeline for MedEvolve’s implementation, evaluation, and revision of its risk remediation activities;
• Developing, maintaining, and revising, as necessary, to the satisfaction of OCR its written business associate agreements and any other policies and procedures to comply with Federal standards that govern the privacy and security of PHI;
• Conducting training on the adopted HIPAA policies and procedures;
• Retain all documents and records relating to compliance with the corrective action plan for six years from the effective date of the corrective action plan; and
• If MedEvolve receives information that a workforce member may have failed to comply with the HIPAA policies and procedures (a “Reportable Event”), investigate promptly and notify HHS about its investigation findings within 60 days;
• Submit to OCR monitoring for at least two years; and
• Various other requirements for reporting, certification and notification to OCR.

MedEvolve agrees in the resolution agreement that OCR may treat as a breach and assess civil monetary penalties under HIPAA in the event of any failure by MedEvolve to fully comply with all requirements of the corrective action plan.

Warning To Other Health Plans and Other HIPAA Regulated Entities To Secure Servers And Other Systems With PHI

OCR’s announcement of the MedEvolve resolution agreement pointedly warns other covered entities and business associates to ensure the adequacy of their own and their business associates’ network and other servers and other HIPAA compliance as well as highlights many common compliance weaknesses that place covered entities and business associates at risk.

“Ensuring that security measures are in place to protect electronic protected health information where it is stored is an integral part of cybersecurity and the protection of patient privacy,” said OCR Director Melanie Fontes Rainer. “HIPAA regulated entities must ensure that they are not leaving patient health information unsecured on network servers available to the public via the internet.”

The MedEvolve server breach is one of the most common sources of HIPAA sanctions. Deficiencies in the security of servers of covered entities or their business associates are common HIPAA compliance deficiencies and raise significant enforcement and liability risks when a breach happens. Hacking/IT incidents were the most frequent (79%) type of large breach reported to OCR in 2022. Network servers are the largest category by location for breaches involving these large breaches.

Along with the frequency of these events, the risk of enforcement for server breaches is heightened by HIPAA breach reporting and investigation protocols. The HIPAA Breach Rule mandates expedited reporting for breaches of unsecured PHI affecting 500 or more people. As a matter of policy, OCR investigates every large breach report. Consequently, it is critical that HIPAA covered entities and their business associates use appropriate documented processes to identify, deter, protect against, detect, and respond to cybersecurity threats and malicious actors involving their servers.  Timely notification can mitigate exposure to additional liability for untimely breach notification. Where a large breach occurs, however, a covered entity or business associate can expect an investigation of the source of the breach as well as its overall compliance.

The resolution agreement also illustrates how HIPAA breach liability can arise from subcontracting of HIPAA covered responsibilities by a covered entity or business associate without ensuring the necessary business associate agreements and other HIPAA safeguards are implemented.

In light of reminders from enforcements like the MedEvolve resolution agreement, all covered entities and business associates should take documented steps to confirm the adequacy of security of all covered entity and business associate servers and other networks and storage devices with electronic PHI currently, whenever updates or other changes are implemented when evidence of potential compromise happens as well as on a scheduled periodic basis. Covered entities and business associates also should verify that they have in place appropriate business associate agreements with every service provider allowed to use, access or disclose PHI.  

Covered entities and business associates may wish to supplement the basic business associate agreement requirements mandated by the HIPAA Rules with additional safeguards providing for periodic reassurances or certifications of ongoing compliance, audit and investigation commitments, notification and other requirements regarding the use of subcontractors or delegated systems or services, provisions on indemnification and insurance commitments or other safeguards.   

For More Information

We hope this update is helpful. For more information about these or other health or other employee benefit, insurance, health care, workforce or other legal, management or public policyresponsibilities or developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297. 

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35+ years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications. As a significant part of her work, Ms. Stamer has worked extensively domestically and internationally with business, government and community leaders to prepare for and deal with pregnancy, disability and other discrimination, leave, health and safety, and other workforce, employee benefit, health care and other operations planning, preparedness and response for more than 35 years. As a part of this work, she regularly advises businesses and government leaders on an on-demand and ongoing basis about preparation of workforce, health care and other business and government policies and practices to deal with management in a wide range of contexts ranging from day to day operations, through times of change and in response to complaints, investigations and enforcement.

Author of a multitude of other highly regarded publications and presentations on MHPAEA and other and health and other benefits, workforce, compliance, workers’ compensation and occupational disease, business disaster and distress and many other topics, Ms. Stamer has worked with health plans, employers, insurers, government leaders and others on these and other health benefit, workforce and performance and other operational and tactical concerns throughout her adult life.

A former lead advisor to the Government of Bolivia on its pension privatization project, Ms. Stamer also has worked domestically and internationally as an advisor to business, community and government leaders on health, severance, disability, pension and other workforce, health care and other reform, as well as regularly advises and defends organizations about the design, administration and defense of their organization’s workforce, employee benefit and compensation, safety, discipline and other management practices and actions.

Board Certified in Labor and Employment Law By the Texas Board of Legal Specialization, Scribe for the ABA JCEB Annual Agency Meeting with OCR, Chair-Elect of the ABA TIPS Medicine and Law Committee, Chair of the ABA International Section Life Sciences Committee, and Past Group Chair and current Welfare Plan Committee Chair of the ABA RPTE Employee Benefits & Other Compensation Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here. 

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here such as: 

• EEOC COVID Guidance, Enforcement Highlights Need To Brace For COVID-Related ADA & Other Claims
• Austin Bar Faces EEOC Pregnancy Discrimination Suit Before Added PWFA Protections Take Effect June 27
• Education Association Union Sued For Race Discrimination
• Biden-⁠Harris Administration Ending COVID-⁠19 Vaccination Requirements For Federal Employees, Contractors, International Travelers, Head Start Educators & CMS-Certified Facilities
• Autism Health Plan Exclusions and Limitations May Trigger Mental Health Parity and Addiction Equity Act Liabilities
• Labor Department Shares Resources on PERM and H-2A Program Updates
• Trucking Cos.’ $1.25M Sex Discrimination warns Other Employers
• $167K In Backpay and Penalties Restaurant Paying For FLSA Violations Warns Other Businesses
• $400,000 Settlement Shows Risks Of Mishandling Pregnant Employees
• Education Association Union Sued For Race Discrimination
• Biden-⁠Harris Administration Ending COVID-⁠19 Vaccination Requirements For Federal Employees, Contractors, International Travelers, Head Start Educators & CMS-Certified Facilities
• Autism Health Plan Exclusions and Limitations May Trigger Mental Health Parity and Addiction Equity Act Liabilities
• Labor Department Shares Resources on PERM and H-2A Program Updates
• Trucking Cos.’ $1.25M Sex Discrimination Warns Other Employers
• $167K In Backpay and Penalties Restaurant Paying For FLSA Violations Warns Other Businesses
• Employers Prepare For Employment Tax Withholding Changes; Review & Comment On Proposed Rule Changes
• Employers Prepare For Employment Tax Withholding Changes; Review & Comment On Proposed Rule Changes
• New PBGC Pension Rules Effective 3/5 May Require Action On Retirement Plans
• Revise Health Plan HIPAA Records Access Rules & Procedures To Use Newly Flexibility On Charging, Responding To Third Party PHI Requests
• 2/28 New Comment Deadline For NLRB Proposal To Exclude College Work Study Student Workers From NLRA Coverage
• Don’t Get Stuck Paying Another Employer’s Overtime Or Other Backpay
• 2019 OCR Enforcement Shows Getting Defensibly HIPAA Compliant Necessary In 2020!
• DOJ Omnicare/CVS Suit Highlights Potential Pharmacy Benefit Claims Abuse Exposure For Health Plans, Member Safety Risk
• OSHA Seeks Small Business Volunteers For Tree Care Safety Panel
• NLRB Restores Pre-Obama Era Union Dues Checkoff Rule
• $1.6M HIPAA Penalty Largely Caused By Inadequate Security Assessments & Oversight  
• 10 Former NFL Payers Charged With Defrauding NFL Retiree Health Fund  
• NLRB Order Directs Settlement Of McDonald’s Unfair Labor Practice Complaints Including Joint Employer Liability Charges Against McDonald’s USA  
• 2018 US National Health Expenditures Grew Again  
• ONC Patient Matching for Prescription Drug Monitoring Program Slides Available  
• SBA Hosts Employee Benefits Roundtable 11/21  
• College Pays $54,000 To Settle DOJ ADA Lawsuit For Paramedic Program’s Termination of TA With MS  
• Business Leaders Serve Jail Time For Employment Tax Crimes  
• New $2.15M OCR Penalty Shows Health Plans Risks Of HIPAA Violations  
• Proposed NLRB Employee Definition To Exclude College Study Workers  
• DOL Proposing To Allow Default Website ERISA Retirement Plan Disclosures  
• Salary Threshold Increases Require Employer Review Of Salaried Worker FLSA Exemption Qualification  

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.