The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) reached a $337,750 settlement with USR Holdings, LLC, a Florida-based business associate, after an unauthorized party deleted electronic protected health information (PHI).
What happened
In February 2019, USR Holdings reported a breach to OCR, revealing unauthorized access to their database containing ePHI of 2,903 individuals from August 23, 2018, to December 8, 2018. The unauthorized party deleted PHI, exposing several vulnerabilities in USR’s cybersecurity and compliance protocols.
OCR’s investigation uncovered violations of HIPAA's Security Rule, including:
- Failure to conduct a thorough risk analysis to identify potential risks to PHI.
- Lack of regular reviews of information system activity to detect unauthorized access.
- Failure to implement procedures to create and maintain retrievable exact copies of PHI.
To address these shortcomings, USR Holdings has agreed to a corrective action plan, including a two-year monitoring period to maintain HIPAA compliance.
What was said
OCR Director Melanie Fontes Rainer stated, “Healthcare entities need to ensure that they are proactively monitoring who is in their information systems and that they have backup procedures in place to be able to create exact copies of the electronic protected health information they hold, in the event health information is held for ransom or deleted.”
“Effective cybersecurity includes being able to restore access to electronic health information following a cybersecurity attack, so there is no interruption in the provision of health care,” the Director added.
Going deeper
Under the settlement agreement, USR Holdings must:
- Conduct a risk analysis: Perform a thorough evaluation of risks and vulnerabilities to the confidentiality, integrity, and availability of PHI.
- Develop a risk management plan: Address and mitigate identified risks.
- Update policies and procedures: Create, maintain, and revise HIPAA compliant written policies, upholding workforce awareness and training.
- Establish safeguards: Regularly review system activity, implement multi-factor authentication (MFA), and maintain retrievable backups of PHI.
- Monitor environmental and operational changes: Evaluate changes affecting PHI security.
Learn more: How to prevent common HIPAA compliance mistakes
The bottom line
Violating HIPAA’s Security Rule can have serious consequences, including financial penalties and reputational harm. Organizations must safeguard PHI to avoid potential data breaches and maintain patient trust.
FAQs
Who needs to comply with HIPAA?
HIPAA compliance is required for covered entities, such as healthcare providers, health plans, and healthcare clearinghouses, as well as their business associates who handle protected health information (PHI).
What are patient rights under HIPAA?
Patients have the right to access, request corrections, and obtain a copy of their PHI. Patients can also request an accounting of PHI disclosures, file complaints, receive electronic copies, opt out of certain uses, and must be notified of PHI breaches.
Can covered entities share PHI without patient consent?
PHI can only be shared without patient consent for treatment, payment, and healthcare operations or when required by law.
