HIPAA Times news | Concise, reliable news and insights on HIPAA compliance and regulations

HHS reaches $90K settlement in first Risk Analysis Initiative enforcement

Written by Kirsten Peremore | Nov 1, 2024 11:51:29 PM

The HHS has settled its first enforcement action in the OCR’s Risk Analysis Initiative in a settlement with the Bryan County Ambulance Authority. 

 

What happened 

The BCAA has agreed to pay a settlement of $90,000 following a ransomware attack that compromised the protected health information (PHI) of patients. The settlement stems from an investigation revealing that the BCAA had not conducted the required risk analysis under the HIPAA Security Rule, a necessary activity for the identification and mitigation of cybersecurity threats. As part of the resolution agreement, BCAA is also required to adhere to a corrective action plan aimed at improving its compliance with privacy and security standards.

 

The backstory

The BCAA experienced a ransomware attack on November 24, 2021, which led to the encryption of files on its network. The attack impacted the PHI of approximately 14,273 patients. In May 2022, the BCAA reported the breach to the HHS, triggering an investigation by the OCR. 

 

What was said 

In the press release, OCR Director Melanie Fontes Rainer said,Failure to conduct a HIPAA Security Rule risk analysis leaves health care entities vulnerable to cyberattacks, such as ransomware. Knowing where your ePHI is held and the security measures in place to protect that information is essential for compliance with HIPAA. OCR created the Risk Analysis Initiative to increase the number of completed investigations and highlight the need for more attention and better compliance with this Security Rule requirement.”

Related: HIPAA Compliant Email: The Definitive Guide

 

FAQs

What is the Privacy Rule? 

It established the national standards for protecting people's medical records and personal health information. 

 

What is the Security Rule?

Standards sets standards for safeguarding electronic protected health information (ePHI) through administrative, physical, and technical protections.  

 

Who is subject to HIPAA?

It applies to healthcare providers, health plans, and healthcare clearinghouses as well as the business associates whom they employ.