1 min read

HHS reaches $90K settlement in first Risk Analysis Initiative enforcement

Picture of Kirsten Peremore Kirsten Peremore Nov 1, 2024 4:51:29 PM

HIPAA compliance
Judge's gavel on U.S. dollar bills

The HHS has settled its first enforcement action in the OCR’s Risk Analysis Initiative in a settlement with the Bryan County Ambulance Authority. 

 

What happened 

The BCAA has agreed to pay a settlement of $90,000 following a ransomware attack that compromised the protected health information (PHI) of patients. The settlement stems from an investigation revealing that the BCAA had not conducted the required risk analysis under the HIPAA Security Rule, a necessary activity for the identification and mitigation of cybersecurity threats. As part of the resolution agreement, BCAA is also required to adhere to a corrective action plan aimed at improving its compliance with privacy and security standards.

 

The backstory

The BCAA experienced a ransomware attack on November 24, 2021, which led to the encryption of files on its network. The attack impacted the PHI of approximately 14,273 patients. In May 2022, the BCAA reported the breach to the HHS, triggering an investigation by the OCR. 

 

What was said 

In the press release, OCR Director Melanie Fontes Rainer said,Failure to conduct a HIPAA Security Rule risk analysis leaves health care entities vulnerable to cyberattacks, such as ransomware. Knowing where your ePHI is held and the security measures in place to protect that information is essential for compliance with HIPAA. OCR created the Risk Analysis Initiative to increase the number of completed investigations and highlight the need for more attention and better compliance with this Security Rule requirement.”

Related: HIPAA Compliant Email: The Definitive Guide

 

FAQs

What is the Privacy Rule? 

It established the national standards for protecting people's medical records and personal health information. 

 

What is the Security Rule?

Standards sets standards for safeguarding electronic protected health information (ePHI) through administrative, physical, and technical protections.  

 

Who is subject to HIPAA?

It applies to healthcare providers, health plans, and healthcare clearinghouses as well as the business associates whom they employ.

 

Download the HIPAA compliant email checklist

Download the HIPAA compliant email checklist
healthfitness logo

HHS settles HIPAA investigation with Health Fitness over security failures

Picture of Kirsten Peremore Kirsten Peremore : Mar 26, 2025 5:08:26 PM

On March 21, 2025, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a settlement with Health Fitness...

HIPAA compliance
Read More
HHS logo

HHS enforces HIPAA security rule with $950,000 settlement

Picture of Farah Amod Farah Amod : Jul 5, 2024 10:27:59 AM

In a recent move to strengthen cybersecurity standards, the U.S. Department of Health and Human Services' (HHS) Office for Civil Rights (OCR)...

HIPAA compliance
Read More
Hand pointing to five yellow stars on blue background

Social media HIPAA violation series: Online reviews

Picture of Farah Amod Farah Amod : Dec 16, 2024 4:56:08 PM

A New Jersey psychiatric practice faced a $30,000 settlement after disclosing patient information in responses to online reviews.

HIPAA compliance Patient privacy
Read More