Franklin, Tennessee-based Touchstone Medical Imaging has agreed to pay the Office for Civil Rights (OCR) $3 million to settle a 2014 security breach that exposed the protected health information (PHI) of more than 300,000 patients. Touchstone must also adopt a corrective action plan to settle the potential HIPAA violations, according to a prepared statement from the HHS Press Office.
The PHI included patient names, birthdays, social security numbers and addresses. According to the statement, it took “several months” after being alerted by the FBI and OCR for Touchstone to investigate the issue. In addition, the HHS says Touchstone took too long to notify the patients involved and “failed to have business associate agreements in place with its vendors, including their IT support vendor and a third-party data center provider.”
“Covered entities must respond to suspected and known security incidents with the seriousness they are due, especially after being notified by two law enforcement agencies of a problem,” Roger Severino, OCR director, said in the statement. “Neglecting to have a comprehensive, enterprise-wide risk analysis, as illustrated by this case, is a recipe for failure.”
The correction action plan is to include “the adoption of business associate agreements, completion of an enterprise-wide risk analysis, and comprehensive policies and procedures to comply with the HIPAA Rules,” according to the statement.