The Office of Civil Rights of the Department of Health and Human Services (OCR) announced that it has entered into a settlement with a business associate that provides electronic medical records services to health care providers. The resolution agreement requires Medical Informatics Engineering, Inc. (MIE) to pay $100,000 and adhere to a corrective action plan. Under the corrective action plan, MIE must conduct a security risk assessment and implement a security risk management plan under OCR supervision.
The breach giving rise to the settlement resulted from a compromised user name and password that allowed hackers access to the electronic protected health information of 3.5 million people. The information compromised included names, addresses, dates of birth, Social Security numbers, e-mail addresses, clinical information, and health insurance information. As required by HIPAA, MIE itself reported the breach. OCR investigated and found that MIE had failed to conduct an accurate and thorough security risk analysis.
The resolution agreement does not provide details about OCR’s evaluation of the situation, but the settlement suggests that OCR did not find MIE’s violation to be particularly blatant and that it paid more attention to the nature of the breach than to its impact. On the basis of the information revealed and the numbers affected, the penalty could have been much larger. Under OCR guidance, the minimum penalty that applies (when even reasonable diligence would not have prevented the breach) would be calculated based on $100 per violation. With 3.5 million individuals affected, that would come to $350 million.
That amount does not take into account the maximum limit that applies for each type of violation. In this case, only one type of violation was identified, so the cap is easy to figure. Under the rules that applied prior to the new guidance issued a few weeks ago, all penalties were capped at a total of $1.5 million for each type of violation, so we might have expected that to be the penalty. However, under the new guidance, penalties are reduced where the violations are less blameworthy. The $100,000 penalty in this case matches the maximum penalty for a violation that is due to reasonable cause.
Without a more detailed understanding of the facts, it is not possible to determine whether the reasonable cause limitation was applied or appropriate in this case, but the result suggests that the new caps may influence sanctions that OCR will seek in at least some HIPAA enforcement actions.