Today, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR), announced a settlement under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) with Green Ridge Behavioral Health, LLC, a Maryland-based practice that provides psychiatric evaluations, medication management, and psychotherapy. OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which sets forth the requirements that HIPAA covered entities (most healthcare providers, health plans, and healthcare clearinghouses) and their business associates must follow to protect the privacy and security of protected health information. The settlement resolves an investigation following a ransomware attack that affected the protected health information of more than 14,000 individuals. This marks the second settlement that OCR has reached with a HIPAA-regulated entity for potential violations identified during an investigation following a ransomware attack.
