HIPAA Security Rule Settlement Results in $950,000 Payment by a Mid-Atlantic Health System

Brenda Glaser Abrams, Bruce Armon
Saul Ewing LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Saul Ewing LLP

On July 1, 2024, the U.S. Department of Health and Human Services (“HHS”) Office For Civil Rights (“OCR”) announced a $950,000 settlement with Heritage Valley Health System (“Heritage Valley”) and a three-year Corrective Action Plan (“CAP”). 

What You Need to Know:

  • HIPAA Security Rule (and Privacy Rule) compliance remains important for covered entities and business associates.
  • Ransomware and hacking incidents are significant threats to parties in the health care delivery system.
  • The consequences – financially and time – with respect to an OCR settlement can be meaningful. 

According to the OCR press release, Heritage Valley – which provides care in Pennsylvania, Ohio and West Virginia – suffered a ransomware attack. OCR’s compliance review of Heritage Valley’s HIPAA compliance began in October 2017. Although Heritage Valley admitted no wrongdoing, OCR’s investigation identified potential HIPAA violations, including Heritage Valley’s failure to (i) conduct an accurate and thorough risk analysis; (ii) have policies and procedures for responding to emergencies that damage systems containing ePHI; and (iii) implement technical policies and procedures for systems that maintain ePHI to limit access. 

The CAP requires Heritage Valley to:

  • conduct a comprehensive and thorough risk analysis related to the confidentiality, integrity and availability of its PHI;
  • develop an enterprise-wide risk management plan to address and mitigate any security risks identified through the risk analysis; 
  • review and revise, as needed, its policies related to multiple HIPAA Security Rule provisions;
  • distribute its updated policies and procedures to its workforce members; and
  • train members of its workforce with respect to the HIPAA Security Rule. 

HIPAA Security Rule compliance is a very important issue for covered entities and business associates. Ransomware and hacking are significant cyber threats within the health care delivery system. According to OCR, “Since 2018, there has been a 264 percent increase in large breaches reported to OCR involving ransomware attacks.”

The Heritage Valley resolution agreement and corrective action plan can be reviewed at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/hvhs-ra-cap/index.html

During the past few years, HHS OCR has been actively informing parties of the need to have robust HIPAA Security Rule policies in effect to protect ePHI. The Heritage Valley settlement is an expensive reminder of the governmental consequences that can result from a ransomware attack.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Saul Ewing LLP | Attorney Advertising

Written by:

Saul Ewing LLP
Saul Ewing LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Saul Ewing LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide