OCR Resolves Guam Hospital HIPAA Investigation with a $25,000 Settlement
The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced its 7th HIPAA enforcement action under its HIPAA risk analysis enforcement initiative, settling an alleged HIPAA risk analysis violation with a Guam hospital authority for $25,000.
OCR launched the enforcement initiative as the risk analysis implementation specification was the most commonly identified HIPAA Security Rule violation through OCR’s investigations and HIPAA audits. The risk analysis is a foundational HIPAA requirement for preventing hacking incidents and ransomware attacks, and the first step in identifying and implementing safeguards to comply with the requirements of the HIPAA Security Rule. If the risk analysis is not completed, or if it is not comprehensive and accurate, it is likely that risks will fail to be identified and could easily be exploited by malicious actors to gain access to ePHI.
The risk analysis is one of the administrative safeguards of the HIPAA Security Rule and is a “required” implementation specification, meaning all HIPAA-regulated entities must conduct a risk analysis. § 164.308(a)(1)(ii)(A) calls for all regulated entities to “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.” The identified risks and vulnerabilities must then be subject to a risk management process, involving the implementation of “security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.”
OCR launched an investigation of Guam Memorial Hospital Authority (GMHA), a public hospital in the U.S. territory of Guam, after receiving a complaint about a December 2018 ransomware attack. While investigating the complaint, a further complaint was made about a data breach involving unauthorized access to systems containing patients’ electronic protected health information (ePHI) by former employees. OCR’s investigation confirmed that there had been unauthorized access to the ePHI of up to 5,000 individuals in the ransomware attack and unauthorized access to patients’ ePHI by two former employees in March 2023 after their employment had ended. Neither breach is currently listed on the OCR breach portal.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
OCR determined that GMHA had failed to conduct an accurate and thorough risk analysis, and under the current enforcement initiative, the HIPAA violation warranted a financial penalty. GMHA agreed to settle the alleged violation, pay a financial penalty of $25,000, and adopt a corrective action plan to address all potential areas of noncompliance with the HIPAA Rules. GMHA will be monitored for compliance with the corrective action plan for three years.
There are several requirements in the corrective action plan. GMHA must conduct a comprehensive, organization-wide risk analysis, and a risk management plan must be developed and implemented to address any identified risks to reduce them to a low and acceptable level. Processes must be implemented for recording and reviewing records of activity in information systems containing ePHI. Policies and procedures must be developed, implemented, and maintained to ensure compliance with the HIPAA Rules, and the policies must be distributed to the workforce. GMHA must augment its HIPAA and security training programs, and all members of the workforce must receive training and certify that the training has been received. GMHA must also conduct a review of access credentials and ensure that accounts and privileges are terminated, as required, to prevent unauthorized access to ePHI.
Further, breach risk assessments must be conducted for the December 2018 ransomware attack and the March 2023 unauthorized access incidents. The breaches must be reported to OCR, and notifications must be issued to the affected individuals. “Ransomware and hacking are the primary cyber-threats to electronic protected health information within the health care industry. Failure to conduct a HIPAA risk analysis puts this information at risk and vulnerable to future ransomware attacks and other cyber-threats,” said OCR Acting Director Anthony Archeval.
OCR has been actively enforcing compliance with the HIPAA Rules and closed 22 investigations last year with financial penalties. The aggressive enforcement of HIPAA compliance has continued under the Trump administration, with five financial penalties announced so far this year and more than $2 million collected in settlements and civil monetary penalties.
