Best Medical Transcription, a transcriptionist vendor, has been fined by the New Jersey Attorney General Gurbir S. Grewal for breaching HIPAA in 2016. The violation occurred while it was working as a business associate of Virua Medical Group, a network of medical and surgical practices in southern New Jersey.
As a part of their business arrangement, Best Medical Transcription was provided with dictated medical notes, letters, and reports which were transcribed for Virtua Medical Group physicians. In January 2016, it was discovered that transcribed documents had been uploaded to File Transfer Protocol (FTP) website by the business associate. The documents were accessible over the Internet without the need for any user authentication. As the files were indexed by Google, anybody could access them by simply searching for words that were contained in the files. It was discovered that password-protection had been removed from the website during a software update.
An investigation was launched into the incident to determine the scope of the breach. It was determined that 1,654 patients had their protected health information exposed as a result of the error.
In accordance with HIPAA’s Breach Notification Rule, those patients affected by the breach were sent notification letters. Virtua Medical Group terminated its relationship with Best Medical Transcription. In 2017, Best Medical Transcription was dissolved.
The New Jersey attorney general Gurbir S. Grewal and the New Jersey Division of Consumer Affairs investigated the breach. They concluded that Virtua Medical Group was responsible for failing to protect patients’ data. Furthermore, it was found not to have an adequate “security awareness” training program for its staff. It was found to be guilty of “unacceptable delays” in identifying and responding to the breach.
Virtua Medical Group settled with New Jersey for $417,816 in April 2018 to resolve the HIPAA violations. In addition to paying the fine, the organisation agreed to improve its data protection protocol to prevent an incident of a similar nature from occurring again.
HIPAA holds covered entities accountable for data breaches caused by their business associates. However, third-party vendors that enter business associate agreements with HIPAA covered entries can also be fined directly for HIPAA violations. New Jersey also filed charges against ATA Consulting LLC, dba Best Medical Transcription, and the owner of the business, Tushar Mathur.
In the charges, New Jersey alleged Best Medical Transcription had violated the HIPAA Privacy Rule, HIPAA Security Rule and HIPAA Breach Notification Rule. Specifically, it was alleged that Best Medical Transcription failed to conduct an accurate and thorough risk assessment of potential risks to the confidentiality, integrity, and availability of ePHI. There was also an alleged failure to implement appropriate safeguards to reduce risks and vulnerabilities to a reasonable and appropriate level and policies and procedures had not been implemented to prevent the improper alteration or destruction of ePHI.
Best Medical Transcription also failed to notify Virtua Medical Group about the breach and the improper disclosure of ePHI was a violation of its business associate agreement with Virtua Medical Group.
Tushar Mathur agreed to pay New Jersey a civil monetary penalty of $191,492 to resolve the HIPAA violations and $8,508 to cover attorneys’ fees and costs. Mathur has also been barred from managing or owning a business in New Jersey.
“We will continue to protect the privacy of New Jersey patients by vigorously enforcing the laws safeguarding their personal health information,” said Attorney General Grewal. “Our action against Best Medical Transcription demonstrates that any entity that fails to comply with its duty to protect private health records of New Jersey patients will be held accountable… Our settlement with Best Medical Transcription sends a message that New Jersey requires compliance from all entities bound by patient privacy standards.”
This case serves as an important reminder that business associates are held to the same standards as HIPAA covered entities, and must take every precaution possible in ensuring that patient data is protected. Covered entities are ultimately responsible for the actions of their business associates, and both organisations can be prosecuted for failure to comply with HIPAA.