The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced today a $337,750 settlement with USR Holdings, LLC (USR), a Florida-based business associate, for violations of the HIPAA Security Rule. OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which establish the requirements that covered entities and business associates must follow to safeguard protected health information (PHI). The HIPAA Security Rule mandates national standards to ensure the confidentiality, integrity, and availability of electronic PHI (ePHI) through administrative, physical, and technical safeguards.
This settlement follows an investigation into a breach where ePHI was deleted by an unauthorized third party.
“Health care entities must monitor their information systems to detect unauthorized access and ensure they have backup procedures to restore electronic protected health information if it is deleted or held for ransom,” said OCR Director Melanie Fontes Rainer. “Effective cybersecurity also includes the ability to restore ePHI promptly to avoid interruptions in health care delivery.”
Details of the Breach
OCR launched an investigation after USR reported a breach in February 2019. Between August 23, 2018, and December 8, 2018, an unauthorized third party accessed a database containing the ePHI of 2,903 individuals and deleted the information. OCR’s investigation uncovered several potential HIPAA violations, including:
- Failure to conduct a comprehensive risk analysis to identify potential risks and vulnerabilities to ePHI.
- Failure to regularly review system activity.
- Failure to establish and implement procedures to create and maintain retrievable, exact copies of ePHI.
Corrective Action Plan
Under the settlement, OCR will monitor USR for two years to ensure HIPAA compliance. Additionally, USR agreed to pay $337,750 and implement a corrective action plan with the following measures:
- Conducting a thorough risk analysis to assess risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.
- Implementing a risk management plan to address and mitigate identified risks.
- Developing procedures to evaluate changes in the environment or operations that could affect ePHI security.
- Maintaining, revising, and distributing updated HIPAA policies and procedures to its workforce.
Cybersecurity Best Practices
OCR advises covered entities and business associates to adopt the following strategies to mitigate cyber threats:
- Review vendor and contractor relationships to ensure appropriate business associate agreements are in place.
- Regularly integrate risk analysis and risk management into business processes, especially when adopting new technologies or operations.
- Ensure audit controls are implemented to monitor and examine information system activity.
- Conduct regular reviews of information system activity to detect unauthorized access.
- Utilize multi-factor authentication to restrict ePHI access to authorized users only.
- Encrypt ePHI to protect against unauthorized access.
- Incorporate lessons learned from incidents into security management plans.
- Provide regular, role-specific training to workforce members on privacy and security responsibilities.