​The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a settlement on June 28, 2023 of potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules with iHealth Solutions, LLC (doing business as Advantum Health). Advantum Health is a Kentucky-based HIPAA business associate that provides coding, billing, and onsite information technology services to health care providers. On the company's web page, it states it "was established to be a single destination for the management needs of small to large size healthcare practices." The settlement was the result of a data breach in which an Advantum Health network server containing the protected health information ("PHI") of 267 individuals was exfiltrated from an insecure server. 

​What You Need to Know:

• Health care management company enters into $75,000 settlement and corrective action plan with HHS OCR.
• Business Associates are critical partners in ensuring HIPAA compliance.
• Security Rule and Privacy Rule regulations are equally important and data breaches continue to be prevalent.

The HIPAA Privacy, Security, and Breach Notification Rules (collectively the "HIPAA Rules") set forth requirements to protect the privacy and security of health information by HIPAA-regulated entities (i.e., covered entities and business associates). In the press release announcing this settlement, OCR Director Melanie Fontes Rainer notes that HIPAA business associates must protect the privacy and security of the health information they are entrusted with, and effective cybersecurity includes ensuring that electronic PHI is secure and not accessible to everyone with an internet connection.

OCR initiated the investigation of Advantum Health after receiving a breach report in August 2017 that Advantum Health had experienced an unauthorized transfer of PHI from its server. The transferred PHI included patient names, dates of birth, addresses, Social Security numbers, email addresses, diagnoses, treatment information, medical procedures, and medical histories. OCR's investigation also found evidence of Advantum Health's potential failure to have in place an organizational analysis to determine risks and vulnerabilities to electronic PHI.

While admitting no wrongdoing, in addition to paying $75,000 to OCR, Advantum Health agreed to implement a two-year corrective action plan (CAP) with specific requirements. Advantum Health has agreed to do each of the following:

• Conduct an accurate and thorough analysis of its organization to determine the potential security risks and vulnerabilities to the confidentiality, integrity, and availability of its electronic PHI;
• Develop and implement a risk management plan to address and mitigate identified security risks and vulnerabilities;
• Implement a process to evaluate environmental and operational changes that affect the security of electronic PHI;
• Develop, maintain, and revise, as necessary, its written HIPAA policies and procedures; and
• Submit an implementation report and annual reports to HHS.

The Resolution Agreement and CAP is available here.

To help avoid any unauthorized transfer of PHI, HIPAA violations, and costly settlements, HIPAA business associates should conduct regular analyses of their organizations to determine the potential security risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI that they receive from HIPAA covered entities and promptly address and mitigate any risks and vulnerabilities that they identify. As OCR noted, HIPAA covered entities rely on their business associates to appropriately protect their PHI. The reputational and operational consequences for failing to do so can be significant.