The HHS Office for Civil Rights (OCR) reported its second settlement involving a ransomware-related HIPAA violation. This settlement is the first HIPAA enforcement action under the new risk analysis enforcement initiative. Bryan County Ambulance Authority in Oklahoma paid a $90,000 financial penalty and adopted a corrective action plan.
The HIPAA Security Rule – 45 C.F.R. § 164.308(a)(1)(ii)(A) requires covered entities to conduct a risk analysis. If not conducted, the entity risks the confidentiality, availability, and integrity of electronic protected health information (ePHI). It may not be aware of its vulnerabilities that malicious actors could exploit to acquire access to systems and ePHI. If risks are determined, they must be monitored and minimized to an acceptable level.
OCR’s investigations of big data breaches revealed that many HIPAA-covered entities do not get risk analysis right. They either do not perform risk analysis, don’t perform it often, or do not complete it. The regularity of violations and the effect of not conducting a thorough risk analysis on security prompted OCR to prioritize enforcement of compliance on this facet of the HIPAA Security Rule.
On November 24, 2021, emergency medical service provider Bryan County Ambulance Authority based in Oklahoma encountered a ransomware attack resulting in the encryption of its system files. The investigation affirmed that the breached records included the ePHI of 14,273 individuals. OCR received notification about the data breach on June 9, 2022, and started an investigation to evaluate HIPAA compliance.
OCR found out that Bryan County Ambulance Authority had not performed a risk analysis to determine possible risks and vulnerabilities to ePHI privacy. A financial penalty was issued because of the seriousness of the violation. OCR gave Bryan County Ambulance Authority the chance to handle the situation in private and agreed to pay a $90,000 settlement without admitting liability or wrongdoing.
Not conducting a HIPAA Security Rule risk analysis makes healthcare organizations vulnerable to ransomware attacks. Being aware of your ePHI storage and the security procedures set up to safeguard that data is important for HIPAA compliance. OCR designed the Risk Analysis Initiative to raise the number of finished investigations and focus on the requirement for careful attention and better HIPAA compliance.
The settlement comprises a corrective action plan (CAP) and 3-year tracking of compliance by OCR. The corrective action plan calls for Bryan County Ambulance Authority to perform a thorough and accurate risk analysis and send the results to OCR, together with a complete listing of all electronic devices, data systems, off-site information storage services, and apps that include or save ePHI. A risk analysis should be done every year after that.
A business risk management plan should be created and done after every risk analysis to minimize the determined risks and vulnerabilities. The CAP involves creating, using, and keeping written guidelines and procedures following the HIPAA Rules. After getting authorization from OCR, those guidelines and procedures should be sent to all employees who get access to ePHI and provide training regarding those policies yearly after that.
New workers having access to ePHI should be given the policies in 30 days and all workers with access to ePHI should sign, manually or digitally, to confirm they have acquired the guidelines and procedures. No employee must be given access to ePHI before receiving the written or digital certification. When the compliance team discovers that an employee has probably failed to adhere to the guidelines and procedures, the incident should be investigated immediately. OCR should be given quarterly reports regarding any violations.
This is OCR’s 11th HIPAA enforcement action with a financial penalty in 2024 and its 7th HIPAA penalty for a ransomware-linked data breach. OCR has gathered over $7 million in HIPAA penalties to date, greater than the collected combined penalties in 2022 and 2023.
Image credits: Tida, AdobeStock
