OCR Settles HIPAA Investigation With Business Associate

On January 8, 2025, the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) announced a $337,750 settlement with Florida-based USR Holdings, LLC (USR), a HIPAA business associate. The settlement resolves an OCR HIPAA breach investigation concerning PHI deletion by an unauthorized third party. Details of the HIPAA investigation and settlement are provided below.

OCR Settles HIPAA Investigation With Business Associate for $337,750: Copy That

OCR began its HIPAA investigation following the receipt of a breach report filed by USR in February of 2019. In its report, USR noted that from August through December of 2018, a database containing the names of 2,903 individuals was accessed by an unauthorized third party. This third party chose a different tack than many cyberattackers who hold ePHI ransom or who disclose it to other unauthorized individuals: the third party deleted ePHI in the database (maybe they wanted to stand out. De gustibus non est disputandum).

Deletion of ePHI in a database should not augur absolute doom; HIPAA requires covered entities and business associates to create and maintain “retrievable exact copies of electronic protected health information.” In other words, to implement a data backup plan.

OCR settled the investigation by determining that USR, though, potentially violated the HIPAA Security Rule by failing to do just that – failing to “establish and implement procedures to create and maintain retrievable exact copies of ePHI.” OCR also determined in its HIPAA investigation that USR potentially failed to conduct an accurate and thorough risk analysis; and failed to regularly review its information system activity. USR, seeking to avoid imposition of a civil monetary penalty (fine), agreed to settle the HIPAA investigation by paying OCR $337,750, and submit to a two-year corrective action plan (CAP).

OCR Settles HIPAA Investigation With Business Associate for $337,750: We’ll be Watching

The CAP requires USR to:

  1. Conduct an accurate and thorough risk analysis to determine the potential risk and vulnerabilities to the confidentiality, integrity, and availability of its ePHI;
  2. Implement a risk management plan to address and mitigate security risks and vulnerabilities identified in the risk analysis;
  3. Develop a process to evaluate any environmental or operational changes that affect the security of ePHI;
  4. Develop, maintain, and revise as necessary, its written policies and procedures to comply with the HIPAA Rules; and
  5. Distribute any updated HIPAA policies and procedures to its workforce.

The written policies and procedures that USR must develop touch on each of the three HIPAA rules: the HIPAA Security Rule, the HIPAA Privacy Rule, and the HIPAA Breach Notification Rule.

USR must develop a Privacy Rule policy on uses and disclosures of PHI. USR must develop a policy on business associate breach notifications. USR also must address the Security Rule’s administrative, physical, and technical safeguard provisions. The data backup requirement is housed in the administrative provisions. 

“Health care entities need to ensure that they are proactively monitoring who is in their information systems, and that they have backup procedures in place to be able to create exact copies of the electronic protected health information they hold, in the event health information is held for ransom or deleted,” said OCR Director Melanie Fontes Rainer. “Effective cybersecurity includes being able to restore access to electronic health information following a cybersecurity attack, so there is no interruption in the provision of health care.”

OCR Settles HIPAA Investigation With Business Associate for $337,750: We Recommend

In its announcement of the settlement, OCR recommends that healthcare providers, health plans, clearinghouses, and business associates that are covered by HIPAA take the following best practices to mitigate or prevent cyber-threats:

  1. Review all vendor and contractor relationships to ensure business associate agreements are in place as appropriate and address breach/security incident obligations.
  2. Integrate risk analysis and risk management into business processes, and conduct risk analysis and risk management regularly and when new technologies and business operations are planned.
  3. Ensure audit controls are in place to record and examine information system activity.
  4. Implement regular review of information system activity.
  5. Utilize multi-factor authentication to ensure only authorized users are accessing ePHI.
  6. Encrypt ePHI to guard against unauthorized access to ePHI.
  7. Incorporate lessons learned from incidents into the overall security management process.
  8. Provide training specific to organization and job responsibilities and on a regular basis; and reinforce workforce members’ critical role in protecting privacy and security.

See How Our Software Can Help With