iHealth Solutions, LLC was recently investigated for violating HIPAA compliance regulations. The organization ultimately decided to settle the situation with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR).
What happened
iHealth Solutions, a company conducting business as Advantum Health, is a Kentucky-based business associate providing billing, coding, and information technology services to healthcare organizations.
According to the report by the HHS, the breach was caused by a network server left unprotected in 2017. It left 267 individuals' information vulnerable at the time, and iHealth Solutions eventually released a breach report.
Through an investigation conducted by the OCR, they found that iHealth Solutions' patient information, including Social Security numbers, birth dates, addresses, medical histories, and more, had been transferred without authorization.
In the investigation, the OCR determined that iHealth Solutions did not have a robust system in place to analyze the risks and vulnerabilities of electronic protected health information.
Ultimately, iHealth Solutions agreed to pay $75,000 to the OCR and implement a corrective action plan to ensure future HIPAA compliance. The plan includes the following actions:
- Conduct an analysis of the organization to determine possible risks and vulnerabilities to protected health information.
- Develop and implement a risk management plan to address any discovered vulnerabilities or risks.
- Implement a process to evaluate any changes that could impact the security of protected health information, and
- Develop, revise, and maintain its HIPAA policies and procedures.
Why it matters
In the full resolution agreement, iHealth Solutions is placed on a tight timeline to address any security risks and vulnerabilities; they have only 60 days to conduct an analysis and create new policies and procedures to address any concerns they have discovered. They also only have 30 days to complete their financial obligation to the OCR.
By settling, iHealth can avoid admitting guilt in the data breach and face reduced consequences.
Organizations should be vigilant in monitoring their security procedures, as this incident showcases the consequences of a data breach.
Even as hackers become more sophisticated in their strategies to obtain data, HIPAA covered healthcare entities still have an obligation to meet the high standards for compliance and security.
Related: New survey reveals gap in cybersecurity implementation
What was said
In a statement from the OCR, Director Melanie Fontes Rainer said, "HIPAA business associates must protect the privacy and security of the health information they are entrusted with by HIPAA covered entities."
According to Rainer, it's of prime importance that "electronic protected health information is secure, and not accessible to just anyone with an internet connection."
iHealth released a statement to Information Security Media Group, stating, "No patient or client data was lost, used for nefarious reasons or negatively affected, and the time the data was exposed was limited to a few hours."
iHealth feels confident moving forward, citing new leadership and more advanced technology. Since the incident in 2017, no other HIPAA violations, complaints, or fines have occurred. The statement added, "iHealth Solutions agreed to the settlement to put an end to this years-dated issue."
The bottom line
iHealth holds firm that while there may have been vulnerabilities in its security operations, new technology and leadership have made them a safe and credible business association.
The incident showcases the effects even a relatively minor data compromise can have. For smaller organizations especially, the hefty financial implications can be costly to businesses, emphasizing the need for thorough and steadfast HIPAA compliance at every stage.
Related: HIPAA Compliant Email: The Definitive Guide
Abby Grifno
