HHS enforces HIPAA security rule with $950,000 settlement

In a recent move to strengthen cybersecurity standards, the U.S. Department of Health and Human Services' (HHS) Office for Civil Rights (OCR) announced a $950,000 settlement with Heritage Valley Health System (Heritage Valley) over potential violations of the Health Insurance Portability and Accountability Act (HIPAA) security rule. This settlement marks OCR's third ransomware-related enforcement action, indicating the agency's heightened focus on safeguarding electronic protected health information (ePHI) amidst a troubling surge in large-scale breaches.

What happened

The OCR's investigation into Heritage Valley revealed multiple potential violations of the HIPAA security rule, including the healthcare system's failure to:

• Conduct a detailed risk analysis to identify and mitigate potential risks and vulnerabilities to its ePHI systems.
• Implement an effective contingency plan to respond to emergencies, such as a ransomware attack, that could potentially damage systems containing ePHI.
• Establish appropriate policies and procedures to ensure only authorized users can access ePHI.

These lapses in cybersecurity left Heritage Valley vulnerable to cyber threats, making the organization an attractive target for criminal actors.

Going deeper

The $950,000 settlement requires Heritage Valley to undertake a corrective action plan that OCR will monitor for three years. Under this plan, the healthcare system must:

• Conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI.
• Implement a risk management plan to address and mitigate the identified security risks and vulnerabilities.
• Review, develop, maintain, and revise its HIPAA compliant policies and procedures as necessary.
• Train its workforce on the organization's HIPAA policies and procedures.

Heritage Valley aims to strengthen its cybersecurity posture and better protect its patients' sensitive health information by addressing these deficiencies.

What was said

In the announcement, OCR Director Melanie Fontes Rainer emphasized the urgent need for healthcare entities to safeguard patient data and ensure the continuity of care. She stated, "Hacking and ransomware are the most common type of cyberattacks within the healthcare sector. Failure to implement the HIPAA security rule requirements leaves healthcare entities vulnerable and makes them attractive targets to cyber criminals."

Rainer further urged healthcare providers, health plans, clearinghouses, and business associates to take proactive steps to mitigate cyber threats, including:

• Reviewing vendor and contractor relationships to ensure appropriate business associate agreements are in place.
• Integrating risk analysis and risk management into business processes.
• Implementing multi-factor authentication and data encryption to secure ePHI.
• Providing HIPAA-focused training for the workforce.

Why it matters

The Heritage Valley settlement is the latest in a series of OCR enforcement actions targeting healthcare organizations' HIPAA security rule violations. Since 2018, the agency has witnessed a staggering 264% increase in large breaches involving ransomware attacks, proving the growing cybersecurity challenges facing the industry.

These enforcement actions serve as a wake-up call for healthcare entities, reiterating the necessity of proactive risk management, security controls, and ongoing employee training to protect sensitive patient data and ensure the continuity of care.