[00:00.0 - 00:07.1] Touchstone Medical Imaging, Touchstone, has agreed to pay $3,000,000 to the Office for Civil Rights, OCR, [00:07.6 - 00:14.0] at the U.S. Department of Health and Human Services, HHS, and to adopt a corrective action plan [00:14.3 - 00:18.8] to settle potential violations of the Health Insurance Portability and Accountability Act, [00:19.2 - 00:21.8] HIPAA, security and breach notification rules. [00:22.4 - 00:28.6] Touchstone, based in Franklin, Tennessee, provides diagnostic medical imaging services in Nebraska, [00:29.1 - 00:32.5] Texas, Colorado, Florida, and Arkansas.
[00:33.3 - 00:40.3] In May 2014, Touchstone was notified by the Federal Bureau of Investigation, FBI, and OCR, [00:40.3 - 00:43.7] that one of its FTP servers had allowed uncontrolled access [00:43.7 - 00:46.7] to its patients' protected health information, PHI. [00:47.9 - 00:54.1] This uncontrolled access permitted search engines to index the PHI of Touchstone's patients, [00:54.4 - 00:58.5] which remained visible on the internet even after the server was taken offline. [00:59.0 - 01:02.2] Touchstone initially claimed that no patient PHI was exposed.
[01:02.7 - 01:08.0] However, during OCR's investigation, Touchstone subsequently admitted that the PHI [01:08.0 - 01:12.9] of more than 300,000 patients was exposed, including names, birthdates, [01:13.3 - 01:16.1] social security numbers, and addresses. [01:16.7 - 01:21.7] OCR's investigation found that Touchstone did not thoroughly investigate the security incident [01:22.2 - 01:26.4] until several months after notice of the breach from both the FBI and OCR. [01:27.0 - 01:31.9] Consequently, Touchstone's notification to individuals affected by the breach was also untimely.
[01:32.6 - 01:37.0] OCR's investigation further found that Touchstone failed to conduct an accurate [01:37.0 - 01:42.0] and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, [01:42.4 - 01:47.4] integrity, and availability of all of its electronic PHI, ePHI, [01:47.4 - 01:52.3] and failed to have business associate agreements in place with its vendors, [01:52.7 - 01:58.0] including their IT support vendor and a third-party data center provider, as required by HIPAA. [01:58.8 - 02:02.6] Covered entities must respond to suspected and known security incidents [02:03.0 - 02:06.6] with the seriousness they are due, especially after being notified [02:06.6 - 02:11.5] by two law enforcement agencies of a problem, said OCR Director Roger Severino. [02:11.9 - 02:15.8] Neglecting to have a comprehensive, enterprise-wide risk analysis, [02:15.9 - 02:19.5] as illustrated by this case, is a recipe for failure.
[02:20.2 - 02:25.6] In addition to the monetary settlement, Touchstone will undertake a robust corrective action plan [02:26.0 - 02:28.7] that includes the adoption of business associate agreements, [02:29.2 - 02:34.2] completion of an enterprise-wide risk analysis, and comprehensive policies [02:34.2 - 02:36.6] and procedures to comply with the HIPAA rules. [02:37.8 - 02:42.7] The resolution agreement and corrective action plan may be found outside HIPAA [02:42.7 - 02:48.4] for Professionals, Compliance Enforcement Agreements, MAMON, INDEX, HUMON, [02:48.9 - 02:52.9] SOURCE, AccessCloudSync.com.
