25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

OCR Resolves Multiple Security Rule Failures with USR Holdings with $337,750 Settlement

Posted By on Jan 9, 2025

It has been a busy end to the year for the HHS’ Office for Civil Rights (OCR) concerning HIPAA enforcement. By mid-December, OCR had announced 16 settlements and civil monetary penalties to resolve alleged violations of the HIPAA Rules; however, OCR Director Melanie Fontes Rainer announced in her end-of-year wrap-up of OCR accomplishments that there had been 22 HIPAA enforcement actions last year, three of which were announced this week.

Earlier this week, OCR announced two settlements to resolve ransomware-related investigations that uncovered risk analysis failures – an $80,000 settlement with Elgon Information Systems and a $90,000 settlement with Virtual Private Network Solutions.  On January 8, 2025, OCR announced that a $337,750 settlement had been agreed with the Florida business associate, USR Holdings, LLC, to resolve multiple alleged violations of the HIPAA Security Rule.

USR Holdings is a holding company that owns and manages primary mental health and substance abuse treatment facilities in Florida, Maryland, and Kentucky. In its capacity as a HIPAA business associate, USR Holdings provides administrative oversight and support services from its Port St. Lucie base and runs a substance abuse marketing center in Coconut Creek, Florida. On February 8, 2019, USR Holdings submitted a breach report to OCR about a network server hacking incident that involved the protected health information of 2,903 individuals.

The breach was relatively small by 2019 standards when the average data breach size was 88,003 records. This enforcement action demonstrates that it is not the size of the breach that matters but any action data breach or complaint that makes a HIPAA-regulated entity appear on OCR’s radar. OCR investigates all data breaches of 500 or more records to assess whether the breach was likely caused by HIPAA noncompliance. If serious HIPAA violations are uncovered, a financial penalty is likely.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The breach report was filed on behalf of three covered entities and informed OCR that from December 8, 2018, through January 9, 2019, it was discovered that there had been unauthorized access to a database containing ePHI. While the unauthorized access was blocked on December 8, 2018, the unauthorized access started on August 23, 2018, and had not been detected for almost 4 months. During that time, unauthorized third parties were able to delete ePHI from the database.

OCR determined that there had been violations of four provisions of the HIPAA Rules:

  • The failure to conduct an accurate and thorough risk analysis to identify risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI – 45 C.F.R. § 308(a)(1)(ii)(A)
  • The failure to implement procedures for reviewing records of information system activity such as logs and access reports – 45 C.F.R. § 164.308(a)(1)(ii)(D)
  • The failure to establish and implement procedures to create and maintain retrievable exact copies of ePHI – 45 C.F.R. § 164.308(a)(7)(ii)(A)
  • Unauthorized access to the ePHI of 2,903 individuals and the deletion of ePHI – 45 C.F.R. § 164.502(a)

In addition to the financial penalty, USR Holdings has agreed to adopt a corrective action plan and OCR will monitor USR Holdings for compliance with the HIPAA Rules for two years. The CAP requires a comprehensive and accurate risk analysis, a risk management plan, the development of a process for evaluating environmental or operational changes that affect the security of ePHI, the development of HIPAA policies and procedures to ensure full compliance with the HIPAA Rules, and for those policies and procedures to be distributed to the workforce.

“Health care entities need to ensure that they are proactively monitoring who is in their information systems and that they have backup procedures in place to be able to create exact copies of the electronic protected health information they hold, in the event health information is held for ransom or deleted,” said OCR Director Melanie Fontes Rainer, announcing the settlement. “Effective cybersecurity includes being able to restore access to electronic health information following a cybersecurity attack, so there is no interruption in the provision of health care.”

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist