On September 26, 2024, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced a $250,000 settlement with Cascade Eye and Skin Centers due to alleged violations of the HIPAA Rules. OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which sets forth the requirements that covered businesses must follow to protect the privacy and security of protected health information (PHI). The OCR’s corrective action plan and further recommendations for healthcare providers contain important takeaways for security in a time of increasing ransomware attacks.
The Incident
In 2017, OCR was notified by a complaint that Cascade had experienced a ransomware attack. Further investigation by OCR revealed that the attack impacted approximately 291,000 files containing ePHI. The potential violations identified by OCR included: (1) failure to sufficiently review activity in information systems containing ePHI[1]; and (2) failure to conduct a comprehensive risk analysis to identify potential risks and vulnerabilities to ePHI[2].
The Corrective Action Plan
The parties agreed to a settlement agreement and corrective action plan. OCR directed Cascade as part of the required Security Management Processes under the HIPAA Security Rule to inventory all data systems, electronic equipment, data storage facilities, and applications containing ePHI. This inventory will then be used to conduct an accurate and thorough risk analysis regarding potential risks and vulnerabilities to ePHI. Cascade must submit to OCR the scope and methodology of the proposed risk analysis and incorporate any changes recommended.
Cascade must also develop an enterprise-wide risk management plan, mitigate any security vulnerabilities found by the risk analysis, and implement a process to review records of information system activity regularly. These policies must also include a contingency plan for responding to security incidents and written procedures for tracking user identity in systems containing ePHI. Cascade must provide OCR with notice of its intended risk management plan, process to regularly review records, contingency plan, and user identity tracking, and incorporate any changes recommended.
Cascade must draft these policies to “more explicitly delineate” employee roles and responsibilities for internal and external reports of potential breaches of PHI, notifications to affected individuals, notifications to media outlets for larger breaches, and notifications to OCR. OCR will monitor the corrective plan for two years. Cascade must provide OCR with regular reports, incorporate any changes OCR recommends, and report any further failure to comply during the compliance term.
OCR Recommendations to Mitigate or Prevent Cyber Threats
OCR took this opportunity to emphasize many of the required and addressable HIPAA Security Rule implementation specifications, including implementing appropriate business associate agreements, using multi-factor authentication to protect ePHI, integrating risk analysis and management in business processes, and encrypting ePHI. The list is not exhaustive, and covered businesses should also consult the HIPAA Rules.
Take Aways
If you are a covered entity or business associate under the HIPAA Rules, security obligations such as data inventories and risk management protocols are a must. The OCR reported a 264% increase in large ransomware breaches since 2018, and even smaller, privately-owned providers are a potential target. Many covered entities may have HIPAA policies in place, but failing to review and stay current on security may end up costing them. Businesses must develop and maintain effective HIPAA compliance programs so that they can demonstrate their layered safeguards, especially following a breach.
[1] 45 CFR § 164.308(a)(1)(ii)(D).
[2] 45 CFR § 164.308(a)(1)(ii)(A).