Privacy & Information Security Law Blog

On May 6, 2019, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced that it had entered into a resolution agreement and $3 million settlement with Touchstone Medical Imaging (“Touchstone”). The settlement is the first OCR HIPAA enforcement action in 2019, following an all-time record year of HIPAA enforcement in 2018.

In May 2014, OCR and the Federal Bureau of Investigation contacted Touchstone to let it know that one of its file transfer protocol (“FTP”) servers permitted Internet search engines to index the protected health information (“PHI”) of Touchstone’s patients. The PHI remained available to unauthorized individuals after the server was taken offline. OCR investigated Touchstone and found that the PHI of 308,000 Touchstone patients was exposed during this incident, including patients’ names, Social Security numbers, addresses and dates of birth.

OCR found that Touchstone may have violated the HIPAA Privacy, Security and Breach Notification Rules by:

• impermissibly disclosing the PHI through the provision of access to an insecurely configured server;
• failing to implement technical policies and procedures to allow access to PHI only to authorized persons;
• neglecting to enter into business associate agreements (“BAAs”) with several business associates;
• failing to conduct an accurate and thorough risk analysis of the risks and vulnerabilities to the confidentiality, integrity and availability of electronic PHI (“ePHI”);
• not accurately identifying and responding to the security incident and mitigate its outcome; and
• notifying affected individuals and the media 147 days after the incident, which did not satisfy the Breach Notification Rule’s timing requirements.

The resolution agreement requires Touchstone to pay $3 million to OCR and enter into a Corrective Action Plan that obligates Touchstone to:

• provide OCR with an accounting of its business associates and the relevant BAAs;
• conduct a risk analysis and submit it to OCR for review and approval;
• implement a risk management plan to address and mitigate the risks and vulnerabilities identified in the risk analysis;
• revise its policies and procedures to address technical access to ePHI, termination of user accounts, password strength and safeguarding and documenting security incidents;
• distribute the policies and procedures to all members of its workforce within 30 days of adoption;
• conduct HIPAA training for members of its workforce;
• report any events of noncompliance with its HIPAA policies and procedures; and
• submit annual compliance reports for a period of two years.

In announcing the settlement with Touchstone, OCR Director Roger Severino noted that Touchstone had been notified of the incident by two law enforcement agencies and stated that “neglecting to have a comprehensive, enterprise-wide risk analysis, as illustrated by this case, is a recipe for failure.”