1

HIPAA Violation Case

Student’s name

Institution affiliation
 2

HIPAA (Health Insurance Portability and Accountability Act) is a U.S. federal law

establishing strict standards for protecting patients' health information, also known as Protected

Health Information (PHI). Violations of HIPAA can result in severe penalties, including fines

and legal actions. One common area of concern regarding HIPAA violations involves unsecured

servers where PHI is stored or transmitted.

In the case involving Arkansas Business Associate MedEvolve, the Office of Civil Rights

(OCR) concluded that there was a violation of the HIPAA rules as a result of a data breach where

servers containing protected health information of 23,572 individuals were left unsecured and

accessible on the internet (US Department of Health and Human Services, 2023). The HIPAA

rules require handlers of protected health data to protect the privacy and security of such

information. If a server containing PHI is left unsecured or lacks proper access controls, it can be

accessed by unauthorized individuals, leading to a breach of patient confidentiality.

Unauthorized access to PHI is a severe HIPAA violation and can result in substantial fines, legal

actions, and damage to an organization's reputation. For example, a category four violation that

constitutes “willful neglect” with no attempt to correct the violation can attract a minimum fine

of $50,000 per violation. MedEvolve made a $350,000 monetary settlement to the Office of Civil

Rights for the breach. The company also responded by implementing a corrective action plan to

resolve potential violations and protect the security of protected health information in their

electronic records.

An unsecured server is more susceptible to data breaches, whether due to hacking,

malware, or physical theft of hardware. Any unauthorized disclosure of PHI is considered a

breach. HIPAA mandates that organizations report data breaches to affected individuals, the U.S.

Department of Health and Human Services (HHS), and sometimes the media. Fines can be
 3

significant, depending on the extent of the breach and negligence involved. HIPAA requires

encryption to protect PHI when transmitted electronically or stored on servers. Unencrypted data

is more susceptible to interception and unauthorized access. Consequently, failure to encrypt data

is a violation of HIPAA regulations.

The potential HIPAA violation in the case of MedEvolve included a lack of analysis to

determine vulnerabilities, potential attack surfaces, and other risks to protected health

information. Another significant violation was the failure to enter into a business associate

agreement with a subcontractor. HIPAA mandates that covered entities and their business

associates establish contracts or business associate agreements that outline the permissible uses

and disclosures of ePHI, specify security safeguards, and require prompt breach notifications. In

this case, it appears that MedEvolve failed to have such an agreement in place with a

subcontractor, which is a serious breach of HIPAA requirements

This HIPAA violation case involves a significant data breach due to inadequate security

measures, including the lack of a proper risk analysis and the absence of a business associate

agreement with a subcontractor. MedEvolve's settlement and corrective action plan are intended

to rectify these shortcomings and improve their cybersecurity and privacy practices to safeguard

patient health information.

 4

Reference

US Department of Health and Human Services, (2023). HHS Office for Civil Rights Settles

HIPAA Investigation with Arkansas Business Associate MedEvolve Following Unlawful

Disclosure of Protected Health Information on an Unsecured Server for $350,000. US

Department of Health and Human Services.

https://www.hhs.gov/about/news/2023/05/16/hhs-office-civil-rights-settles-hipaa-

investigation-arkansas-business-associate-medevolve-following-unlawful-disclosure-phi-

unsecured-server-350-000.html