Health Information Compliance Alert

Enforcement News:

Tennessee Company Agrees to Pay $3 Million to Settle HIPAA Violations

Despite racking up staggering enforcement numbers for 2018, the HHS Office for Civil Rights (OCR) 2019 track record seemed to be slowing down, with fewer large-scale breaches on the books. But, a recent big settlement may signal that the feds are ramping up.

Context: Franklin, Tennessee-based Touchstone Medical Imaging will fork over $3 million to the OCR and enter into a corrective action plan for dropping the ball on a security incident that exposed 300,000 patients’ protected health information (PHI), an OCR release suggests. Touchstone failed to address risks, implement business associate agreements (BAAs), and ignored the loss of ePHI until months after the incident.

“Covered entities must respond to suspected and known security incidents with the seriousness they are due, especially after being notified by two law enforcement agencies of a problem,” said OCR director Roger Severino in the release. “Neglecting to have a comprehensive, enterprise-wide risk analysis, as illustrated by this case, is a recipe for failure.”

See the settlement logistics at www.hhs.gov/about/news/2019/05/06/tennessee-diagnostic-medical-imaging-services-company-pays-3000000-settle-breach.html.