It’s no secret the healthcare industry receives its fair share of cyberattacks. A six-year investigation resulted in a $2.3 million dollar payment to the Office of Civil Rights (OCR) and compliance with a corrective action plan for “longstanding, systemic noncompliance with the HIPAA Security Rule” despite an FBI notification in 2014.
CHSPSC LLC repeatedly failed to remedy Security Rule vulnerabilities, even after a call from the FBI. The company provides IT and health information business associate (BA) services to hospitals and physician clinics in Tennessee. The FBI warned CHSPSC of a persistent threat by a cyberhacking group; despite the notice, hackers continued to access PHI by using compromised administrative credentials.
This hefty settlement underscores OCR’s guidance from May of 2019 for Business Associates: many HIPAA Privacy and Security Rules for covered entities (CE) directly apply to BAs!
Remember, if you are a CE or BA providing services to a CE, HIPAA Privacy and Security Rules must be followed, and ComplianceDashboard makes that process simpler. Learn more about our HIPAA solutions.