HHS’ Office for Civil Rights Settles HIPAA Investigation of Health Care Software Company
The U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) recently announced a settlement with MMG Fusion, LLC (“MMG”), a Maryland-based health care software company, to resolve the company’s alleged noncompliance with the HIPAA Privacy, Security and Breach Notification Rules.
According to OCR’s announcement, MMG operates as a business associate that receives protected health information (“PHI”) from covered entities and provides software used to communicate directly with patients. The investigation was initiated in March 2023 following a complaint regarding an unreported security incident and the appearance of PHI on the dark web.
OCR’s investigation determined that in December 2020, an unauthorized actor infiltrated MMG’s systems and accessed PHI, including names, phone numbers, mailing addresses, email addresses, dates of birth and appointment information, affecting approximately 15 million individuals.
OCR concluded that MMG: (i) impermissibly disclosed PHI; (ii) failed to conduct an accurate and thorough risk analysis to assess risks and vulnerabilities to the confidentiality, integrity and availability of electronic PHI ; and (iii) failed to timely notify covered entities of the breach, as required under the HIPAA Breach Notification Rule.
Settlement Terms and Corrective Action Plan
Under HHS’s resolution agreement, MMG agreed to:
OCR will monitor MMG’s compliance with the corrective action plan for three years. MMG also agreed to pay $10,000 to OCR, with the agency noting that it considered MMG’s financial condition in determining the settlement amount.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。