On January 7, the US Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced an $80,000 settlement with a Massachusetts-based company providing electronic medical record and billing support services to covered entities under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. The settlement resolves an investigation concerning a ransomware attack on the company’s information system.
The settlement also marks the second enforcement action in OCR’s Risk Analysis Initiative. This initiative focuses on assessing the compliance of covered entities with the HIPAA Security Rule’s Risk Analysis provision, a key aspect of effective cybersecurity and the protection of electronic protected health information (ePHI). OCR created the Risk Analysis Initiative to increase the number of completed investigations and highlight the need for better attention and compliance with this critical Security Rule requirement.
On March 25, 2023, an unknown actor gained access to a server on the company’s information system through open ports on its firewall. The company did not detect the intrusion until March 31, 2023, when a ransom note was found. In June 2023, the company filed a breach report with HHS, which stated that approximately 31,248 individuals were affected by the ransomware infection. The protected health information (PHI) exposed included demographic data (name, social security number, address, driver’s license, and date of birth) and clinical information (medication, diagnosis, and condition). OCR’s investigation determined that the company had failed to conduct an accurate and thorough risk analysis to identify the potential risks and vulnerabilities to ePHI in its system.
Under the terms of the settlement agreement, OCR will oversee the company’s compliance with HIPAA for the next three years. In addition, the company has agreed to pay $80,000 to OCR and implement a corrective action plan, which outlines the steps the company will take to address potential violations of the HIPAA Privacy and Security Rules and protect the security of ePHI, including:
- Reviewing and updating its Risk Analysis to identify the potential risks and vulnerabilities to the company’s data and protect the confidentiality, integrity, and availability of ePHI.
- Updating its enterprise-wide Risk Management Plan (strategy to protect the confidentiality, integrity, and availability of ePHI) to address and mitigate any security risks and vulnerabilities found in the updated Risk Analysis.
- Reviewing and revising, if necessary, its written policies and procedures to comply with the Privacy and Security Rules.
- Providing workforce training on HIPAA policies and procedures.
“A HIPAA-compliant risk analysis is not only a legal requirement, but also a critical step in ensuring effective cybersecurity,” said OCR Director Melanie Fontes Rainer. “The best defense against cyberattacks, such as hacking and ransomware, is proactively assessing potential risks and vulnerabilities to electronic protected health information.”
Compliance Perspective
Issue
OCR enforces the HIPAA Privacy, Security, and Breach Notification rules, which set forth the requirements that covered entities (health plans, healthcare clearinghouses, and most healthcare providers), and business associates must follow to protect the privacy and security of PHI. Conducting a risk analysis is the first step in identifying and implementing safeguards that comply with the Security Rule and its standards. The Security Management Process standard requires organizations to implement policies and procedures to prevent, detect, contain, and correct security violations. Ransomware and hacking are the primary cyberthreats in healthcare, and since 2018, there has been a 264 percent increase in large breaches reported to OCR involving ransomware attacks.
Discussion Points
- Review policies and procedures related to HIPAA, PHI, and the Privacy, Security, and Breach Notification rules. Ensure that these policies specifically address risk analysis and are updated as new information becomes available.
- Train relevant staff on HIPAA, PHI, the Privacy, Security, and Breach Notification rules, and risk analysis. Provide refresher training at least annually and whenever new threats or security vulnerabilities are identified. Document training completions and maintain signed training acknowledgments in employees’ records.
- Conduct periodic audits to ensure compliance with HIPAA policies and procedures, confirming that staff demonstrate understanding and competency. Also periodically audit to ensure ongoing risk analysis is being conducted.
*This news alert has been prepared by Med-Net Concepts, Inc. for informational purposes only and is not intended to provide legal advice.*
