On July 1, 2024, the Department of Health and Human Services Office for Civil Rights (OCR) announced its settlement with Heritage Valley Health System to resolve potential violations of the HIPAA Security Rule. The settlement resulted from a ransomware incident that compromised electronic protected health information (ePHI).
In light of the 264% increase in large ransomware attacks reported since 2018, the OCR urges healthcare organizations to be vigilant in protecting patient information. “Hacking and ransomware are the most common type of cyberattacks within the health care sector. Failure to implement the HIPAA Security Rule requirements leaves health care entities vulnerable and makes them attractive targets to cyber criminals. Safeguarding patient protected health information protects privacy and ensures continuity of care, which is our top priority. We remind and urge health care entities to protect their records systems and patients from cyberattacks,” said OCR Director Melanie Fontes Rainer.
Compliance Missteps and the Settlement
OCR launched an investigation into Heritage Valley’s compliance practices after the health system suffered a ransomware attack. The investigation uncovered several potential HIPAA violations, including failure to:
- Conduct a security risk assessment to determine the potential risks and vulnerabilities to ePHI
- Implement a contingency plan to respond to incidents that damage systems containing ePHI
- Implement policies and procedures limiting access to ePHI to only authorized users
To resolve potential compliance missteps, Heritage Valley agreed to implement a corrective action plan, and is subject to three years of OCR monitoring. They also have to pay $950,000. The corrective action plan requires Heritage Valley to:
- Conduct an accurate and thorough risk analysis
- Implement a risk management plan
- Review and develop, maintain, and revise its policies and procedures
- Train their workforce on their HIPAA policies and procedures
How to Prevent HIPAA Violations
Healthcare organizations that report large breaches are subject to OCR investigation, but this doesn’t have to mean that they face costly HIPAA fines. Organizations that can prove that they have implemented an effective compliance program, and taken the steps to ensure PHI is protected, are likely to receive OCR assistance rather than being forced to pay up. The basics of HIPAA compliance include:
- Conducting an accurate and thorough risk assessment and adopting a corrective action to address risks and vulnerabilities
- Implementing written policies and procedures following the HIPAA Privacy, Security, and Breach Notification Rules
- Train all workforce members on HIPAA best practices and your organization’s policies and procedures at least annually
- Having signed business associate agreements with all business associate vendors
- Having an incident response plan in place that includes measures to mitigate and report incident
