OCR Settles Alleged HIPAA Violations with Puerto Rican Healthcare Clearinghouse
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has agreed to settle alleged HIPAA Privacy and Security Rule violations with the Puerto Rican healthcare clearinghouse, Inmediata Health Group.
The alleged HIPAA violations were discovered during an investigation of the exposure of individuals’ electronic protected health information (ePHI) via the Internet. OCR received a complaint on November 16, 2018, alleging patients’ ePHI held by Inmediata was accessible over the Internet. OCR’s investigation substantiated the allegations and determined that between May 16, 2016, and January 23, 2019, the ePHI of 1,565,338 individuals was publicly available on the Internet and had been indexed and cached by search engines. Inmediata analyzed the exposed data and determined that names, dates of birth, home addresses, Social Security numbers, claims information, diagnosis/conditions, and other treatment information had been exposed online.
OCR determined that the exposure of ePHI violated the HIPAA Privacy Rule, and HIPAA Security Rule violations were also identified such as the failure to conduct a comprehensive, organization-wide risk analysis to identify risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI, and a failure to monitor activity in information systems containing ePHI.
Inmediata chose to settle the alleged HIPAA violations with OCR and paid a penalty of $250,000. Violations of this nature that have persisted for more than 2 years would typically warrant a larger financial penalty and a robust corrective action plan. By choosing to settle the alleged violations, the penalty was reduced and there was no corrective action plan as OCR was satisfied that the corrective requirements stipulated in a multi-state action in 2023 addressed all areas of noncompliance identified by OCR. The 2023 settlement was agreed by Inmediata, 32 U.S. State Attorneys General, and Puerto Rico and involved a $,400,000 financial penalty and corrective action plan to address the noncompliance issues. Inmediata also settled a class action lawsuit in 2022 related to the data breach for $1,125,000.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
“Health care entities must ensure that they are not leaving patient health information accessible online to anyone with an internet connection,” said OCR Director Melanie Fontes Rainer. “Effective cybersecurity means being proactive and vigilant in searching for risks and vulnerabilities to health data and preventing unauthorized access to patient health information.”
OCR has been particularly active this year in enforcing HIPAA compliance, with 16 HIPAA violation cases resulting in financial penalties. There have been 9 settlements with HIPAA-regulated entities in 2024 to resolve alleged violations of the HIPAA Rules and OCR has imposed 7 civil monetary penalties. Through its enforcement actions in 2024, OCR has collected $9,228,465 in penalties.
