It is reported that Arkansas Business Associate (BA) MedEvolve has agreed to settle a PHI breach affecting more than 200,000 people. MedEvolve will pay $350,000 and enter a two-year corrective action plan (CAP), following their deployment of a server that left patient data unsecure. No surprise was the potential HIPAA violations, including an insufficiently accurate or thorough risk analysis and the failure to enter into a business associate agreement with a subcontractor.
So why the "Interesting" headline? We are curious why the CAP fails to mention anything related to §164.308(a)(8) Evaluation, which requires "...a periodic technical and nontechnical evaluation..." "...in response to environmental or operational changes affecting the security of electronic protected health information...". We recommend HIPAA-compelled entities, including BA, test their information enterprise; especially in the process of deploying new servers or upgrading network equipment to ensure that (e)PHI remains protected. We see a LOT of BA being brought in to help covered entities (CE) with billing and business operations and analytics. What we don't necessarily see is those CE demanding any documentation that these processes are proven secure.
Equally curious is how OCR structures their settlement documentation. Not only is MedEvolve relieved of any admission of liability, which seems to be standard(?) with settlement agreements, but OCR also concedes that MedEvolve is not in violation of the HIPAA Rules. That latter point seems to contradict everything reported, although maybe OCR only uses violation verbiage only when a civil monetary penalty is being sought.
Click the graphic below if you want to read the OCR-sourced announcement. In the meantime...
Stay (HIPAA) safe,