In late October, the U.S. Department of Health and Human Services (HHS) reached a settlement agreement with a medical management company based in Massachusetts over alleged HIPAA violations. Under the settlement terms, the company will pay $100,000 and comply with a three-year corrective action plan (CAP).
The company is a HIPAA business associate (BA) that provides services to HIPAA-covered entities (CEs), including payer credentialing and medical bills. The violations involved HIPAA’s Privacy and Security Rules.
This settlement is the first to deal with HIPAA violations from ransomware attacks. Ransomware is malware or malicious software that blocks a user’s access to their data through encryption. The hacker who releases the malware controls the key to the encryption and refuses to release the data until the ransom is paid. In recent years, HHS has released a great deal of guidance concerning the threats to protected health information (PHI) and electronic PHI (ePHI) posed by ransomware attacks.
The BA’s HIPAA Violations
HHS began investigating the company in 2019 after receiving a notification from the company that its server had been infected by Gandcrab ransomware two years prior, causing unauthorized access to its network. The BA discovered the ransomware attack, which affected the ePHI of over 206,000 individuals, nearly 18 months after it occurred, when the ransomware encrypted its data.
Through its investigation, HHS found that the BA had violated the HIPAA Privacy Rule by disclosing individuals’ ePHI without authorization and the HIPAA Security Rule by failing to:
- Perform a thorough risk analysis of the risks and vulnerabilities of the ePHI;
- Implement adequate procedures to review information system activity regularly; and
- Establish policies and procedures in compliance with the security rule.
Content of the CAP
The CAP will address HIPAA policy and procedures, training, and risk analysis and management, following a structured plan implemented over three years.
HIPAA Policy and Procedures
The CAP requires the BA to revise its existing HIPAA policies and procedures to address certain aspects of HIPAA’s Security Rule. These issues include security awareness and training and regular review of information system activities.
Once HHS approves, the BA must adopt these revised HIPAA policies and procedures and promptly distribute them to all workers who use or disclose ePHI. Likewise, the BA must distribute the policies to new workers within 30 days of their start date.
The BA must promptly investigate and report any noncompliance with its HIPAA policies and procedures by employees to HHS. It also must report any sanctions that it assesses on the non-compliant employees.
Training
Under the CAP, the BA must revise any HIPAA training materials and submit existing and/or revised training materials to HHS for approval. Once approved, the BA must promptly provide HIPAA compliance training to all employees with access to PHI and conduct annual training for all employees thereafter. The BA must obtain written or electronic certification from each employee with access to PHI of training completion and the training date.
The BA must submit a training report and annual reports to HHS throughout the three-year duration of the CAP. However, it also must maintain records of compliance with the training component of the CAP for six years.
Risk Analysis and Management
The CAP also requires the BA to conduct a thorough risk analysis of potential risks and vulnerabilities concerning its existing system to store ePHI. The BA must completely inventory all electronic equipment, systems, and applications that house or store ePHI.
The BA must detail and document its security measures to prevent unauthorized access and disclosure of ePHI, including network segmentation and infrastructure, vulnerability scanning, logging and alerts, and patch management. HHS must approve the BA’s risk analysis.
Finally, the BA must adopt a risk management plan to address and minimize any security risks and vulnerabilities identified during the risk analysis process. This plan must detail any remediation that the BA intends to undertake and the timeline and process that the BA will follow for implementing, evaluating, and updating that process. Again, the HHS must approve the risk management plan. Once approved, the BA must implement the plan promptly.