In late September 2024, the U.S. Department of Health and Human Services (“HHS”), Office for Civil Rights (“OCR”) announced a settlement with Cascade Eye and Skin Centers, P.C., a health care provider in the state of Washington (“CESC”), concerning potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.
What You Need to Know:
- OCR continues to be focused on ransomware incidents and HIPAA compliance.
- HIPAA-covered entities and business associates must maintain HIPAA Security Rule and Privacy Rule compliance.
- OCR investigations can result in expensive settlements and ongoing OCR oversight of an entity’s HIPAA compliance efforts.
In 2017, CESC was the victim of a ransomware attack that affected 291,000 of its files that contained protected health information (“PHI”). OCR’s subsequent investigation of CESC suggested that CESC had not done an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the electronic PHI (“ePHI”) held by CESC, nor had it implemented procedures to review records of its information system activities.
While CESC admitted no wrongdoing as part of the OCR $250,000 settlement, CESC entered into a two-year corrective action plan (“CAP”) by which CESC has agreed to perform each of the following:
- conduct an accurate and thorough risk analysis of its ePHI;
- develop an enterprise-wide risk management plan to address and mitigate the security risks and vulnerabilities identified from the risk analysis it performs;
- develop a written process to regularly review records of information system activity;
- develop and implement contingency plan policies and procedures to respond to an emergency that damages any CESC system that holds its ePHI;
- implement a process to assign a unique user identification for its systems containing ePHI;
- develop, maintain, and revise (as needed) its HIPAA Privacy Rule and Security Rule policies;
- distribute its HIPAA policies to its workforce and business associates; and
- submit to HHS an implementation report with an attestation and annual reports, including a summary of all reportable events.
In its press release announcing the CESC settlement, OCR noted that “since 2018, there has been a 264 percent increase in large breaches reported to OCR involving ransomware attacks. The OCR investigation of CESC began in 2017 and, in addition to the settlement, was presumably a costly and distracting investigation.
A copy of the CESC corrective action plan can be retrieved here.
Maintaining the security of a covered entity’s ePHI is paramount with respect to compliance with the HIPAA Security Rule and Privacy Rule. Ransomware and hacking remain prevalent concerns, and electronic security issues generally can cause havoc for health care providers and their business associates with respect to a breach or other security incident.
As part of the CESC settlement press release, OCR noted that it “recommends health care providers, health plans, clearinghouses, and business associates that are covered by HIPAA take the following steps to mitigate or prevent cyber-threats:
- Review all vendor and contractor relationships to ensure business associate agreements are in place as appropriate and address breach/security incident obligations.
- Integrate risk analysis and risk management into business processes, conducted regularly and when new technologies and business operations are planned.
- Ensure audit controls are in place to record and examine information system activity.
- Implement regular review of information system activity.
- Utilize multi-factor authentication to ensure only authorized users are accessing ePHI.
- Encrypt ePHI to guard against unauthorized access to ePHI.
- Incorporate lessons learned from incidents into the overall security management process.
- Provide training specific to organization and job responsibilities and on regular basis; reinforce workforce members’ critical role in protecting privacy and security.
