Indiana medical records service to pay $1M in HIPAA fines, multi-state settlement

Last month, the U.S. Department of Health & Human Services announced that Medical Informatics Engineering, Inc. (MIE), an Indiana-based medical records service, paid a $100,000 fine to the Office of Civil Rights (OCR) for a 2015 HIPAA breach that compromised the protected health information (PHI) of approximately 3.5 million people.

At the time, OCR’s investigation found that MIE did not run comprehensive risk analysis, which is in violation of HIPAA’s requirement that covered entities conduct an accurate and thorough assessment of potential risks and vulnerabilities to the integrity and confidentiality of electronic PHI.

In addition to the $100,000 settlement with OCR, in late May, MIE also reached a multi-state settlement of $900,000 to 16 state attorney general offices, following a December 2018 filing by Arizona, Arkansas, Connecticut, Florida, Indiana, Iowa, Kansas, Kentucky, Louisiana, Michigan, Minnesota, Nebraska, North Carolina, Tennessee, West Virginia and Wisconsin, all alleging that MIE did not safeguard its web-based health record program in accordance not only with HIPAA but with the states’ data breach notification requirements and related laws. This is the first multi-state settlement of its kind.

MIE did not admit liability or wrongdoing in the settlement, but agreed to the settlement and other injunctive provisions, requiring MIE to comply with technical safeguards mandated by HIPAA.

The Health Information Technology for Economic and Clinical Health Act allows state attorneys general to bring civil action on behalf of state residents for HIPAA violations. OCR developed HIPAA enforcement training to assist state attorneys general on such matters and encourages collaboration across states.