Heath System Agrees to Pay $950 000 to Settle HIPAA Security Violations

In early July 2024, the US Department of Health and Human Services Office for Civil Rights (OCR) announced a settlement with Heritage Valley Health System, an organization providing health care in Ohio, Pennsylvania, and West Virginia. The settlement was to resolve potential violations of the Health Insurance Portability and Accountability Act (HIPPA) Security Rule following a ransomware attack.

OCR is the agency that enforces HIPAA Privacy, Security, and Breach Notification Rules which set forth the requirements that covered entities must follow to protect the privacy and security of private health information. According to OCR, there has been a 264% increase in major breaches involving ransomware attacks since 2018.

Following a ransomware attack on the health system, an OCR investigation revealed multiple violations of HIPAA’s Security Rule, including failure by Heritage Valley Health System to properly assess risk of its electronic system, implement a contingency plan for emergencies, and implement policies to secure protected health information.

“Hacking and ransomware are the most common type of cyberattacks within the health care sector. Failure to implement the HIPAA Security Rule requirements leaves health care entities vulnerable and makes them attractive targets to cyber criminals,” said OCR Director Melanie Fontes Rainer, in a press release. “Safeguarding patient protected health information protects privacy and ensures continuity of care, which is our top priority.”

The settlement, which is a resolution agreement, requires Heritage Valley to pay a $950 000 fine as well as to implement a corrective action plan which will be monitored by OCR for the next 3 years. The corrective action plan includes steps to protect the security of patients’ personal health information, and to resolve potential violations of the Security Rule. Heritage Valley must:

• Conduct a risk analysis to determine potential dangers and vulnerabilities to the confidentiality, integrity, and availability of its electronic protected health information;
• Implement a risk management plan to address vulnerabilities discovered as part of the risk analysis;
• Develop, maintain, review, and revise its written policies to comply with HIPAA; and
• Properly train employees on HIPAA policies and procedures.

The Takeaway

The Government (the OCR in this case) takes HIPAA security very seriously. Although we normally think of HIPAA in terms of the privacy rule, the tremendous upsurge in cyber attacks is prompting a sharpened focus on HIPAA’s Security Rule, which governs how to protect personal health information.

What Can You Do?

The OCR recommends the following steps to help mitigate or prevent cyber threats:

• Ensure all vendor/contractor agreements address breach/security incident obligations.
• Conduct regular risk analysis and risk management into business processes.
• Regularly review information system activity.
• Encrypt electronic protected health information to secure it against unauthorized access.
• Use multi-factor authentication to protect electronic protected health information.
• Have an audit system in place to record and examine computer system activity.

Reference

HHS Office for Civil Rights settles HIPPA Security Rule failures for $950,000. News release. HHS. Published July 1, 2024. Accessed August 5, 2024.