Skip To The Main Content

NYSDA Publications

OCR Takes HIPAA Action Against MIE

The United States Office for Civil Rights (OCR) has taken action against Medical Informatics Engineering, Inc. (MIE), which has paid $100,000 to OCR and has agreed to take corrective action to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.  MIE is an Indiana company that provides software and electronic medical record services to health care providers.  On July 23, 2015, MIE filed a breach report with OCR following discovery that hackers used a compromised user ID and password to access the electronic protected health information (ePHI) of approximately 3.5 million people.  OCR’s investigation revealed that MIE did not conduct a comprehensive risk analysis prior to the breach.  The HIPAA Rules require entities to perform an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of an entity’s ePHI.  In addition to the $100,000 settlement, MIE will undertake a corrective action plan to comply with the HIPAA Rules that includes a complete, enterprise-wide risk analysis.  The resolution agreement and corrective action plan may be found at: