$350K HIPAA Settlement With Medical Practice Manager Warning To Confirm Security, Business Associate Agreement Adequacy

A newly announced Department of Health and Human Services Office of Civil Rights (“OCR”) Health Insurance Portability and Accountability Act (“HIPAA”) settlement agreement with a medical practice manager business associate highlights the need for health care providers, health plans, and other HIPAA covered entities and persons or entities that has access to PHI as part of their relationship with a covered entity referred to as “business associates” about the need to ensure they and their service providers with access to protected health information (“PHI”) have in place and properly administer all HIPAA-required safeguards, business associate agreements and other policies and processes to comply with HIPAA.

The latest warning comes from OCR’s May 16, 2023 announcement that medical practice manager MedEvolve, Inc. (“MedEvolve”) paid OCR $350,000 and committed to a corrective action plan under a resolution agreement reached to settle OCR charges that MedEvolve violated HIPAA by failing to properly secure servers containing its covered entity clients’ PHI, not obtaining required business associate agreements with business associate subcontractors, and violating other HIPAA requirements.  Like many service providers to medical practices, health plans or other HIPAA covered entities, MedEvolve was subject to HIPAA’s Privacy, Security, Breach Notification and business associate agreement requirements due to its access, possession, use, protection, and disclosure of PHI in the course of servicing its covered entity customers.

HIPAA Privacy, Security and Breach Rules Generally

HIPAA generally requires health care providers, health plans and insurers, health care clearinghouses (“covered entities”) and business associates to maintain the privacy and security of PHI as required by HIPAA.  In addition, HIPAA’s Security Rule requires covered entities and their business associates to conduct risk assessments and implement and administer appropriate safeguards and procedures to protect electronic PHI from improper use, access, disclosure or destruction and in the event of a breach, to provide notification and take other action required by HIPAA’s Breach Notification Rule.  HIPAA’s business associate rules also require both covered entities and their business associates to enter into business associate agreements that document the business associate’s commitment to adhere to HIPAA’s Privacy, Security and Breach Notification Rules before a business associate accesses PHI. 

Violators of these and other HIPAA Privacy, Security and Data Breach rules risk substantial civil monetary penalties assessed based of the culpability of the violation and adjusted annually for inflation. Based on the most recent annual inflation adjustments made in 2022, the current indexed penalty amounts as of May 24, 2023 for each violation of a HIPAA are follows:

  • Tier 1—lack of knowledge: The minimum penalty is $127; the maximum penalty is $63,973; and the calendar-year cap is $1,919,173.
  • Tier 2—reasonable cause and not willful neglect: The minimum penalty is $1,280; the maximum penalty is $63,973; and the calendar-year cap is $1,919,173.
  • Tier 3—willful neglect, corrected within 30 days: The minimum penalty is $12,794; the maximum penalty is $63,973; and the calendar-year cap is $1,919,173.
  • Tier 4—willful neglect, not corrected within 30 days: The minimum penalty is $63,973; the maximum penalty is $1,919,173  and the calendar-year cap is $1,919,173.

These amounts almost certainly will increase further when 2023 inflation adjustments are published.

While OCR can impose these significant civil monetary penalties for HIPAA violations, most violations are resolved outside the cumbersome and costly civil monetary penalty process.  Under HIPAA, OCR possesses the authority to negotiate resolution agreements with covered entities and business associates that allow covered entities and business associates OCR accuses of violating the HIPAA Privacy, Security or Breach Notification Rules to settle HIPAA charges without the assessment of authorized civil monetary penalties. The vast majority of HIPAA violations found by OCR are resolved through the resolution agreement process since the OCR typically sets the required settlement payment amount below the maximum civil monetary penalty amount and the accused party avoids the cost and disruption of the civil monetary process.  The newly announced MedEvolve settlement is the latest resolution of HIPAA violation charges announced by OCR

$350,000 MedEvolve Resolution Agreement

The HIPAA charges against MedEvolve resulted after an OCR investigation of a data breach initiated in response to a series of breach notifications filed by MedEvolve with OCR.  As a provider of practice management, revenue cycle management, and practice analytics software services to medical practices, MedEvolve was a business associate responsible for the collection and administration of PHI for the health care providers it served. 

OCR’s investigation began after MedEvolve notified OCR of a breach of PHI’s on its server through an initial Breach Notification Report filed on July 10, 2018, which it supplemented by addendums filed on July 30, 2018 and August 12, 2020 (the “Reports”). According to the Reports, MedEvolve discovered on May 4, 2018 that a File Transfer Protocol (FTP) server containing PHI had been unsecure and accessible on the internet since January 1, 2018. The breach affected the PHI of a total of 230,572 individuals at two covered entities for which MedEvolve provided software and revenue cycle management services: Premier Immediate Medical Care, LLC (204,607 individuals affected) and the office of Dr. Beverly Held (25,965 individuals affected). The breached information included patient names, billing addresses, telephone numbers, primary health insurer and doctor’s office account numbers, and in some cases Social Security numbers. The OCR investigation uncovered evidence that PHI for both covered entities was viewed by at least one unauthorized individual while the FTP server was open to the public.

Based on its investigation, OCR concluded that MedEvolve violated HIPAA by:

  • Allowing the disclosure of PHI of 230,572 individuals;
  • Failing to enter into a business associate agreement with a subcontractor;
  • Failing to conduct a sufficiently accurate or thorough risk assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by it as a business associate was not sufficiently accurate or thorough.

To avoid the potentially much more significant civil monetary penalties that HIPAA authorizes OCR to impose for such breaches, MedEvolve entered into a resolution agreement with OCR that required MedEvolve to pay OCR $350,000 payment and take a series of corrective actions specified in the corrective action plan included in the resolution agreement.  To benefit from the resolution agreement, the resolution agreement requires MedEvolve to fully implement and adhere to all requirements of the corrective action plan including:

  • Conducting and preparing a report satisfactory to OCR of its complete risk assessment within 30 days and annually thereafter of the security risks and vulnerabilities of all electronic equipment, data systems, programs and applications controlled, administered, owned, or shared by MedEvolve or its affiliates that are owned, controlled or managed by MedEvolve that contain, store, transmit or receive MedEvolve ePHI;
  • Developing and implementing to the satisfaction of OCR an enterprise-wide risk management plan to address and mitigate any security risks and vulnerabilities identified in the risk analysis which includes a process and timeline for MedEvolve’s implementation, evaluation, and revision of its risk remediation activities;
  • Developing, maintaining, and revising, as necessary, to the satisfaction of OCR its written business associate agreements and any other policies and procedures to comply with Federal standards that govern the privacy and security of PHI;
  • Conducting training on the adopted HIPAA policies and procedures;
  • Retain all documents and records relating to compliance with the corrective action plan for six years from the effective date of the corrective action plan; and
  • If MedEvolve receives information that a workforce member may have failed to comply with the HIPAA policies and procedures (a “Reportable Event”), investigate promptly and notify HHS about its investigation findings within 60 days;
  • Submit to OCR monitoring for at least two years; and
  • Various other requirements for reporting, certification and notification to OCR.

MedEvolve agrees in the resolution agreement that OCR may treat as a breach and assess civil monetary penalties under HIPAA in the event of any failure by MedEvolve to fully comply with all requirements of the corrective action plan.

Warning To Other HIPAA Regulated Entities To Secure Servers And Other Systems With PHI

OCR’s announcement of the MedEvolve resolution agreement pointedly warns other covered entities and business associates to ensure the adequacy of their own and their business associates’ network and other servers and other HIPAA compliance as well as highlights many common compliance weaknesses that place covered entities and business associates at risk.

“Ensuring that security measures are in place to protect electronic protected health information where it is stored is an integral part of cybersecurity and the protection of patient privacy,” said OCR Director Melanie Fontes Rainer. “HIPAA regulated entities must ensure that they are not leaving patient health information unsecured on network servers available to the public via the internet.”

The MedEvolve server breach is one of the most common sources of HIPAA sanctions. Deficiencies in the security of servers of covered entities or their business associates are common HIPAA compliance deficiencies and raise significant enforcement and liability risks when a breach happens. Hacking/IT incidents were the most frequent (79%) type of large breach reported to OCR in 2022. Network servers are the largest category by location for breaches involving these large breaches.

Along with the frequency of these events, the risk of enforcement for server breaches is heightened by HIPAA breach reporting and investigation protocols. The HIPAA Breach Rule mandates expedited reporting for breaches of unsecured PHI affecting 500 or more people. As a matter of policy, OCR investigates every large breach report. Consequently, it is critical that HIPAA covered entities and their business associates use appropriate documented processes to identify, deter, protect against, detect, and respond to cybersecurity threats and malicious actors involving their servers.  Timely notification can mitigate exposure to additional liability for untimely breach notification. Where a large breach occurs, however, a covered entity or business associate can expect an investigation of the source of the breach as well as its overall compliance.

The resolution agreement also illustrates how HIPAA breach liability can arise from subcontracting of HIPAA covered responsibilities by a covered entity or business associate without ensuring the necessary business associate agreements and other HIPAA safeguards are implemented.

In light of reminders from enforcements like the MedEvolve resolution agreement, all covered entities and business associates should take documented steps to confirm the adequacy of security of all covered entity and business associate servers and other networks and storage devices with electronic PHI currently, whenever updates or other changes are implemented when evidence of potential compromise happens as well as on a scheduled periodic basis. Covered entities and business associates also should verify that they have in place appropriate business associate agreements with every service provider allowed to use, access or disclose PHI.  

Covered entities and business associates may wish to supplement the basic business associate agreement requirements mandated by the HIPAA Rules with additional safeguards providing for periodic reassurances or certifications of ongoing compliance, audit and investigation commitments, notification and other requirements regarding the use of subcontractors or delegated systems or services, provisions on indemnification and insurance commitments or other safeguards.   

For More Information

We hope this update is helpful. For more information about these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership on health and managed care and employer benefits legal, public policy and operational concerns in the healthcare, employer benefits, and insurance and financial services industries. She speaks and publishes extensively on HIPAA and other related compliance issues.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:


If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstances at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules make it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access to this publication. 

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2023 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: