The US Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a $337,750 settlement with USR Holdings, LLC, a business associate in Florida, under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. The settlement resolves a breach investigation concerning the deletion of electronic protected health information (ePHI) by an unauthorized third party. OCR initiated an investigation following the receipt of a breach report filed by USR in February 2019, which reported that from August 23, 2018, through December 8, 2018, a database containing the ePHI of 2,903 individuals was accessed by an unauthorized third party/parties who were able to delete ePHI in the database. OCR’s investigation found potential violations of the HIPAA Security and Privacy Rules, including failures to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to ePHI in its systems; to regularly review its information system activity; and to establish and implement procedures to create and maintain retrievable exact copies of ePHI.
