Top of the World Ranch Treatment Center Settles Alleged Risk Analysis HIPAA Violation
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has announced its first financial penalty of the year to resolve an alleged violation of the HIPAA Rules. Top of the World Ranch Treatment Center, a Milan, Illinois-based addiction treatment provider, has agreed to pay a $103,000 financial penalty to settle an allegation that it violated the risk analysis requirement of the HIPAA Security Rule.
The number of data breaches reported to OCR involving hacking increased by 239% between 2018 and 2023, and hacking incidents have continued to be reported in high numbers since. In an effort to improve healthcare cybersecurity and reduce the number of successful hacking incidents, OCR launched an enforcement initiative targeting noncompliance with a specific requirement of the HIPAA Security Rule – the risk analysis. The risk analysis is one of the most important HIPAA requirements for improving security.
The enforcement initiative is intended to make it harder for hackers to succeed by ensuring that the vulnerabilities they exploit to gain access to healthcare networks are identified and addressed in a timely manner. OCR’s HIPAA compliance audits and data breach investigations consistently uncovered risk analysis failures, including failures to conduct a risk analysis and incomplete risk analyses. If healthcare organizations do not conduct a comprehensive, organization-wide risk analysis to identify all risks to the confidentiality, integrity, and availability of electronic protected health information (ePHI), risks and vulnerabilities will remain and can potentially be exploited by hackers.
Including the latest penalty, OCR has resolved 11 investigations of ePHI breaches with settlements or civil monetary penalties for alleged violations of the risk analysis provision of the HIPAA Security Rule. “In a time where health care providers and other HIPAA-regulated entities are facing unprecedented cybersecurity threats, compliance with the HIPAA Risk Analysis provision is more essential than ever,” said OCR Director Paula M. Stannard. “Covered entities and business associates cannot protect electronic protected health information if they haven’t identified potential risks and vulnerabilities to that health information.”
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The incident that prompted OCR’s investigation of Top of the World Ranch Treatment Center was a phishing incident. An employee was tricked by a phishing email into disclosing their credentials, which allowed a hacker to access a single business email account for several hours on November 17, 2022. The email account was reviewed and found to contain the ePHI of 1,980 individuals, including their names, Social Security numbers, diagnosis information, treatment information, and health insurance information.
OCR investigated and could not be provided with evidence to confirm that a HIPAA-compliant risk analysis had been conducted prior to the data breach, in violation of 45 C.F.R. § 164.308(a)(1)(ii)(A) of the HIPAA Security Rule. Under the current enforcement initiative, financial penalties will be imposed for risk analysis failures. OCR notified Top of the World Ranch Treatment Center of its intention to impose a financial penalty to address the alleged violation and offered to settle the alleged violation informally. Settlements involve a reduced financial penalty, although the HIPAA-regulated entity must adopt a corrective action plan.
Top of the World Ranch Treatment Center is required to conduct a comprehensive, organization-wide risk analysis to identify all risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. Based on the risk analysis, a risk management plan must be developed and implemented to reduce all identified risks and vulnerabilities to a low and acceptable level. After the initial risk analysis, Top of the World Ranch Treatment Center must conduct an accurate and thorough risk analysis at least annually, and subject risks to a HIPAA-compliant risk management process.
Further, policies and procedures must be developed, implemented, and maintained to comply with the HIPAA Rules, specifically covering risk analyses, risk management, information system activity reviews, and breach notifications. The new policies must be distributed to the workforce, training materials must be developed (and approved by OCR), and HIPAA training must be provided to the workforce.
