OCR Announces First Financial Penalty Under HIPAA Risk Analysis Enforcement Initiative
The HHS Office for Civil Rights (OCR) has confirmed that another settlement has been agreed to resolve a ransomware-related HIPAA violation, its second settlement in as many days. The latest HIPAA enforcement action is the first under OCR’s new risk analysis enforcement initiative and involved a $90,000 financial penalty and the adoption of a corrective action plan for Bryan County Ambulance Authority in Oklahoma.
A risk analysis is a required provision of the HIPAA Security Rule – 45 C.F.R. § 164.308(a)(1)(ii)(A) – and one of the most important for security. If a risk analysis is not conducted, it is highly likely that risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) will remain unknown and could be exploited by malicious actors to gain access to networks and ePHI. When risks are identified, they must be managed and reduced to a low and acceptable level.
OCR’s investigations of large data breaches have shown that a risk analysis is something many HIPAA-regulated entities get wrong. They either fail to conduct a risk analysis, do not conduct one often enough, or the risk analysis is incomplete. The frequency of violations and the impact of failing to conduct a comprehensive risk analysis on security prompted OCR to make this aspect of HIPAA Security Rule compliance an enforcement priority.
Bryan County Ambulance Authority, an Oklahoma emergency medical service provider, experienced a ransomware attack on November 24, 2021, that resulted in the encryption of files on its network. The investigation confirmed that the affected files contained the ePHI of 14,273 patients. OCR was informed of the data breach on June 9, 2022, and launched an investigation to assess compliance with the HIPAA Rules.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
OCR determined that Bryan County Ambulance Authority had never conducted a risk analysis to identify potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI, and the seriousness of the violation warranted a financial penalty. OCR gave Bryan County Ambulance Authority the opportunity to resolve the matter informally and agreed to a $90,000 settlement with no admission of liability or wrongdoing.
“Failure to conduct a HIPAA Security Rule risk analysis leaves health care entities vulnerable to cyberattacks, such as ransomware. Knowing where your ePHI is held and the security measures in place to protect that information is essential for compliance with HIPAA,” said OCR Director Melanie Fontes Rainer. “OCR created the Risk Analysis Initiative to increase the number of completed investigations and highlight the need for more attention and better compliance with this Security Rule requirement.”
The settlement includes a corrective action plan (CAP) and monitoring of compliance by OCR for 3 years. The corrective action plan requires Bryan County Ambulance Authority to conduct a comprehensive and accurate risk analysis and submit the findings to OCR, along with a complete inventory of all electronic equipment, data systems, off-site data storage facilities, and applications that contain or store ePHI. A risk analysis must be conducted annually thereafter.
An enterprise risk management plan must be developed and implemented after each risk analysis to reduce the identified risks and vulnerabilities to a low and acceptable level. The CAP also includes the requirement to develop, implement, and maintain written policies and procedures to comply with the HIPAA Rules, and after receiving approval from OCR, those policies and procedures must be distributed to all members of the workforce who have access to ePHI and training must be provided on those policies and annually thereafter.
New employees with access to ePHI must be provided with the policies within 30 days and all employees with access to ePHI must sign, in writing or electronically, to confirm they have received the policies and procedures. No workforce member should be provided with access to ePHI until the written or electronic certification has been received. If the compliance team learns that a member of the workforce has likely failed to comply with the policies and procedures, the incident must be investigated promptly. OCR must be provided with quarterly reports of any violations.
This is the 11th OCR HIPAA enforcement action of 2024 to result in a financial penalty and its 7th HIPAA fine for a ransomware-related data breach. OCR has collected more than $7 million in HIPAA fines so far this year, more than the total fines collected in 2022 and 2023 combined.
