The Office for Civil Rights (OCR) has the authority to conduct compliance reviews and investigations of complaints alleging violations of the Privacy, Security, and Breach Notification Rules (the “HIPAA Rules”) by covered entities and business associates. Comstar, LLC (“Comstar”) meets the definition of “business associate” under 45 C.F.R. § 160.103 because it provides billing, collection, consulting, Electronic Patient Care Reporting (ePCR) hosting, and client/patient services for non-profit and municipal ambulance services.
History
On March 19, 2022, an unknown actor gained access to the electronic protected health information (“ePHI”) maintained on Comstar’s network servers. Comstar did not detect the intrusion until March 26, 2022, when its IT service vendor began receiving support tickets. It was determined ransomware was used to encrypt Comstar’s network servers and that the protected health information (“PHI”) of 585,621 individuals was affected.
HHS’ investigation indicated that the following conduct occurred:
- Comstar failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information that it holds.
Resolution Agreement
- Comstar has agreed to pay HHS $75,000 on the Effective Date of the Agreement.
- Comstar agrees to comply with the Corrective Action Plan (“CAP”) and if they fail to cure the breach, then Comstar will be in breach of the Agreement and HHS will not be subject to the Release of the Agreement.
- HHS does not release Comstar from, nor waive any rights, obligations, or causes of action other than those arising out of or related to the Covered Conduct. This release does not extend to actions that may be brought under section 1177 of the Social Security Act, 42 U.S.C. § 1320d-6.
- The Agreement is binding on Comstar and its successors, heirs, transferees, and assigns.
Summary
This clearly demonstrates the authority HHS has in assessing fines for business associates. Ransomware affects all types of businesses, and an annual risk analysis helps to uncover vulnerabilities to prevent data breaches.
Every medical practice and business associate must have a documented risk analysis and risk management plan. This is not just for compliance, but to protect patients’ information, and the integrity of their operations.
At Aris Medical Solutions, our online HIPAA Keeper™ is an all in one secure, cloud-based system that helps healthcare providers and business associates simplify compliance by maintaining up-to-date policies, procedures, HIPAA training and documentation to meet every aspect of the HIPAA Privacy and Security Rules.
Protect your practice before an attack happens. Schedule your HIPAA compliance review today and protect your organization from the next enforcement headline.