The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Healthcare Clearinghouse Settles Multi-state HIPAA Investigation for $1.4 Million

Posted By on Oct 18, 2023

Inmediata has agreed to a $1.4 million settlement to resolve a multi-state investigation of potential violations of the Health Insurance Portability and Accountability Act (HIPAA) and state breach notification laws.

On January 15, 2019, the Department of Health and Human Services’ Office for Civil Rights (OCR) notified the Puerto Rico-based healthcare clearinghouse that a server containing the protected health information that it maintained had not been properly secured, resulting in files being indexed by search engines that could be found, accessed, and downloaded by anyone with Internet access. The files on the server contained the protected health information of 1,565,338 individuals and some of those files dated as far back as May 2016.

The HIPAA Breach Notification Rule requires HIPAA-covered entities to issue notifications to individuals affected by a data breach without undue delay and no later than 60 days from the discovery of a data breach. Despite being notified about the breach by OCR, the primary HIPAA regulator, Inmediata waited three months to mail notification letters, and when notification letters were mailed, a mailing error occurred, resulting in letters being sent to incorrect addresses.

Many Americans are unaware of the services provided by healthcare clearinghouses as they do not have any direct contact with them. Healthcare clearinghouses such as Inmediata facilitate transactions between healthcare providers and insurers and are classed as HIPAA-covered entities, which means they must ensure they are fully compliant with the HIPAA Privacy, Security, and Breach Notification Rules. The multi-state investigation found the content of the letters to lack clarity which resulted in confusion for some consumers as to why Inmediata had their data and caused some individuals to dismiss the notification letters as illegitimate.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The multi-state investigation was led by the Indiana Attorney General, assisted by an Executive Committee consisting of the attorneys general in Connecticut, Michigan, and Tennessee. Alabama, Arizona, Arkansas, Colorado, Connecticut, Delaware, Georgia, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Montana, Nebraska, New Hampshire, North Carolina, Oklahoma, Oregon, Pennsylvania, Puerto Rico, Rhode Island, South Carolina, Tennessee, Utah, Washington, West Virginia and Wisconsin also participated.

The attorneys general alleged violations of the HIPAA Security Rule for failing to implement reasonable and appropriate data security safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information, a failure to conduct a secure code review at any point prior to the data breach, and violations of the HIPAA Breach Notification Rule and state data breach notification laws for failing to provide the affected individuals with timely and complete information about the data breach.

The $1.4 million settlement will be divided among the participating states and Inmediata has also agreed to strengthen its data security and breach notification practices. The requirements include the implementation and maintenance of a comprehensive information security program, which must include secure code reviews and search engine crawling controls. An incident response plan must also be developed that includes specific policies and procedures regarding consumer notification letters, and Inmediata must undergo annual third-party security assessments for the next five years. Last year, Inmediata settled a class action lawsuit over the data breach for $1.125 million.

“Inmediata maintained some of our most sensitive and private health information and they had an obligation to keep it secure. Their coding error left sensitive patient information exposed on public online searches for months, with no notification to impacted patients. Their failures violated numerous state consumer protection laws, breach notification laws, and HIPAA requirements. Our multistate settlement forces Inmediata to pay a significant fine and requires strong security practices going forward to ensure these types of inexcusable security lapses never occur again,” said Connecticut Attorney General, William Tong.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist