MedEvolves Settlement A Key Lesson in HIPAA Policy Involving HIPAA Business Associates

HIPAA Business Associates: Lessons Learned through MedEvolve’s Settlement


June 3, 2023 | Reading Time: 4 Minutes

Please support’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker. How

In a move highlighting the significance of upholding health data privacy, the Department of Health and Human Services’ Office for Civil Rights (HHS OCR) and MedEvolve, Inc. have reached a resolution agreement. The specifics of the case and its repercussions for HIPAA business associates are discussed as part of overall HIPAA guidelines for healthcare professionals.

What Are the Differences between HIPAA Covered Entities and HIPAA Business Associates?

In the context of the Health Insurance Portability and Accountability Act (HIPAA), both covered entities and business associates play crucial roles in protecting the privacy and security of Protected Health Information (PHI). However, there are important distinctions between the two.

Covered Entities

Covered entities are the central bodies that must comply with HIPAA regulations. They are involved in healthcare treatment, payment, or operations. Covered entities include:

  1. Health Care Providers. This includes healthcare providers, plans, and clearinghouses. However, they are only covered entities if they transmit information electronically concerning a transaction for which HHS has adopted a standard, such as billing
  2. Health Plans. Insurance companies, HMOs, company health plans, and government programs like Medicare and Medicaid
  3. Health Care Clearinghouses. These entities process health information received from another entity into a standard format or vice versa.

Business Associate

Business associates are individuals or organizations that perform certain functions or activities on behalf of or provide certain services to a covered entity that involves the use or disclosure of PHI. Examples can include a medical billing company, a company that manages a health care provider’s electronic health record system, or a law firm providing legal services to a health care provider involving access to PHI.

The key difference between the two revolves around their function in healthcare operations. Covered entities are PHI’s originators and primary users, while business associates are service providers to the covered entities, often needing access to PHI to carry out their services. Both entities must adhere to HIPAA rules to ensure PHI’s confidentiality, integrity, and availability. It is also important to note that business associates must sign Business Associate Agreements (BAAs) with the covered entities they work with to ensure they comply with HIPAA’s privacy and security rules.

The MedEvolve Case

On one side of the recent settlement in the MedEvolve case is the HHS OCR, the federal agency responsible for implementing and enforcing privacy, security, and data breach regulations under the Health Insurance Portability and Accountability Act (HIPAA). This includes protecting individual health information, maintaining the security of electronic health data, and responding to data breaches.

On the other side of the settlement, we have MedEvolve, a Little Rock, Arkansas business. As a business associate, MedEvolve provides services, including practice management, revenue cycle management, and practice analytics software to covered entities.

What Happened?

The crux of the issue revolves around a security breach that MedEvolve reported to the OCR in 2018. MedEvolve reportedly discovered an unsecured File Transfer Protocol (FTP) server, which had been publicly accessible since January 1, 2018, and contained the protected health information (PHI) of over 230,000 individuals from two covered entities.

After a thorough investigation, the OCR found MedEvolve had failed to comply with several HIPAA provisions. This included improper disclosure of PHI, failure to establish a business associate agreement with a subcontractor, and insufficient assessment of potential risks to the electronic PHI it held.

The Resolution

Both parties agreed to resolve the matter without resorting to formal proceedings. As a result, MedEvolve agreed to pay $350,000 within 14 days from the agreement’s effective date. Furthermore, MedEvolve committed to a Corrective Action Plan (CAP), an essential part of this agreement, outlining necessary improvements in their HIPAA compliance efforts. In the event of a breach of the CAP, MedEvolve would be considered in violation of the agreement, removing HHS from any release obligations.

Moving Forward

With the agreement now in effect, the HHS releases MedEvolve from any actions it may have taken under the HIPAA Rules concerning the disclosed conduct. However, this release doesn’t extend to actions that may be brought under section 1177 of the Social Security Act.

MedEvolve, for its part, accepts the obligation to pay the resolution amount and agrees not to contest its validity. It also acknowledges the agreement’s binding nature on its successors, heirs, transferees, and assigns.

Implications for Covered Entities

The MedEvolve, Inc. case is an important reminder and has significant implications for covered entities. They include the following interpretations of the relevant HIPAA guidelines for healthcare professionals:

  1. Emphasis on Compliance. The case reiterates the importance of strict compliance with HIPAA rules. Covered entities must ensure that they, and their business associates, are fully compliant to avoid penalties
  2. Risk Analysis. Covered entities should regularly conduct thorough and accurate risk assessments to identify potential vulnerabilities in protecting electronic protected health information (ePHI)
  3. Business Associate Agreements. Covered entities must have valid business associate agreements with all business associates to define responsibilities and expectations about handling PHI
  4. Breach Response Plans. This case underlines the importance of having effective incident response plans. Covered entities must be prepared to respond quickly and efficiently in a breach
  5. Staff Training. Covered entities must ensure their staff are adequately trained in HIPAA compliance and understand the potential consequences of non-compliance
  6. Patient Trust. Ensuring compliance builds trust with patients, as they can be confident that their sensitive health information will be protected and handled correctly
  7. Financial Implications. Non-compliance can lead to significant financial penalties, not only for the HIPAA business associate but also for the involved covered entity. By prioritizing compliance and using HIPAA auditing services, covered entities can avoid such costly penalties.

Implications for Business Associates

This MedEvolve case underscores the importance of HIPAA compliance for HIPAA business associates in these ways:

  • Upholding the privacy of individual health information. The MedEvolve agreement signifies the critical importance of safeguarding private health details. Entities managing such sensitive data must establish robust privacy measures to ensure confidentiality
  • Ensuring electronic health data security. Electronic health information can be particularly vulnerable to cyber threats. The case of MedEvolve underscores the necessity of robust and proactive security measures to protect electronic health data
  • Prompt and effective response to data breaches. A swift, effective response is crucial. This includes immediate breach containment, comprehensive investigation, transparent reporting, and implementation of corrective actions to prevent future incidents. MedEvolve’s situation reminds organizations to ensure they have solid breach response plans in place.

This case serves as a valuable lesson for covered entities and business associates about the importance of HIPAA compliance, reinforcing the need for a proactive approach to safeguarding patient data, including professional training related to HIPAA guidelines, or HIPAA cybersecurity as needed.

Transparency and adherence to the HIPAA guidelines are paramount for maintaining trust in the healthcare sector. As always, we’ll watch for similar cases to keep you informed. If you or your staff lack formal training in HIPAA compliance, consider’s affordable solutions.

Essential Telehealth Law & Ethical Issues

Bring your telehealth practice into legal compliance. Get up to date on inter-jurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, the duty to report, termination, and much more!

Disclaimer: offers information as educational material designed to inform you of issues, products, or services potentially of interest. We cannot and do not accept liability for your decisions regarding any information offered. Please conduct your due diligence before taking action. Also, the views and opinions expressed are not intended to malign any organization, company, or individual. Product names, logos, brands, and other trademarks or images are the property of their respective trademark holders. There is no affiliation, sponsorship, or partnership suggested by using these brands unless contained in an ad. Some of’s blog content is generated with the assistance of ChatGPT. We do not and cannot offer legal, ethical, billing technical, medical, or therapeutic advice. Use of this site constitutes your agreement to Privacy Policy and Terms and Conditions.

Please share your thoughts in the comment box below.

Notify of
Inline Feedbacks
View all comments

Register for Free

Receive Any of Our 57 FREE Newsletters!


Most Popular Blog Topics

You May Also Like…