Printer Friendly, PDF & Email

The dual focus of an OCR investigation

Jay P. Anstine (jay.anstine@bannerhealth.com) is the Area Compliance Program Director for Banner Health’s Western Division Rural Hospitals.

On May 6, 2019, the Department of Health and Human Services, Office for Civil Rights (OCR) announced a settlement with a Tennessee diagnostic medical imaging provider, Touchstone Medical Imaging, which agreed to pay $3 million to resolve alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

According to the Resolution Agreement,[1] OCR alleged Touchstone was notified in May of 2014 by the Federal Bureau of Investigation (FBI) and the OCR that one of its file transfer protocol (FTP) servers allowed uncontrolled access to their patients’ protected health information (PHI). This uncontrolled access permitted search engines (such as Google) to index the PHI of their patients, making it visible on the internet. According to the OCR, the PHI (including names, birthdays, Social Security numbers, and addresses) of more than 307,000 patients was exposed. The OCR’s investigation revealed a number of common shortfalls, such lacking business associate agreements, failing to implement policies, and not conducting an accurate and thorough assessment of ePHI risks and vulnerabilities. I think this settlement is notable though for how Touchstone responded to the incident.

This document is only available to members. Please log in or become a member