BlogLine

Recent enforcement efforts by the Office for Civil Rights serve as warnings to HIPAA covered entities for compliance in 2024

12/18/23

By: Gaia T. Linehan

Healthcare providers, health plans, and healthcare clearing houses are subject to the HIPAA Privacy and Security Rules. As such, they are required to notify patients and file data breach reports with the United States Department of Health and Human Services (“HHS”) whenever patients’ Electronic Protected Health Information (“ePHI”) is compromised by a data security incident such as a data breach or ransomware attack. The Office for Civil Rights (“OCR”) within HHS is required to investigate these incidents whenever the ePHI of 500 or more individuals is compromised, and it has discretion to investigate smaller incidents below that amount. Recent enforcement actions by OCR show it is increasing its efforts to pursue recourse against covered entities that experience data security incidents as a result of not complying with the Privacy and Security Rules.  

In a first of its kind, on October 31, 2023, OCR settled claims arising from its investigation of a ransomware attack against Doctors’ Management Services (“DMS”) – a Massachusetts-based medical management company. The settlement resolved an investigation into a Gandcrab ransomware attack in which 206,695 individuals’ records were forcibly encrypted, preventing DMS access and control until the ransom was paid. Notably, there were no reports that the DMS data was exfiltrated or posted to a dark web “shaming site.” Nevertheless, based on OCR’s interpretation that encryption alone is an unauthorized “access to or acquisition” of ePHI, and thus a presumptive “data breach,” OCR and DMS entered into a Resolution Agreement requiring a $100,000 penalty and implementation of an agreed-upon Corrective Action Plan (“CAP”).  

As a basis for the enforcement, OCR found that before the attack, DMS failed to perform a risk analysis for its systems’ vulnerabilities and failed to implement procedures to comply with HIPPA rules and identify threats. To correct the shortcomings, the Resolution Agreements require DMS to (1) conduct an updated Risk Analysis with a complete inventory of technical and physical assets and facilities containing PHI and an updated Risk Management Plan addressing the risks identified; (2) revise its written policies and procedures, incorporating minimum content principles; and (3) revise its employee training program that will be reviewed, approved, and monitored by HHS for one year after implementation.  

In another case, on December 7, 2023, OCR settled claims arising from its investigation of an email phishing attack against Lafourche Medical Group (“Lafourche”) – a Louisiana medical group specializing in emergency medicine, occupational medicine, and laboratory testing. The phishing attack led to a compromise of Lafourche’s systems that affected the ePHI of approximately 34,862 individuals. Based on its investigation, OCR found Lafourche failed to conduct a risk analysis and test its systems to identify potential threats and vulnerabilities to ePHI, as required by HIPAA. OCR also found Lafourche failed to instate and enforce procedures to systematically review its systems for potential cyberattacks.  

To settle OCR’s claims and correct the alleged shortcomings, Lafourche agreed to pay $480,000 and implement a CAP mandating that it:  

• Establish and implement measures for risk analysis of potential risks and vulnerabilities to its system; 
• Develop, maintain, and periodically revise policies and procedures to comply with HIPPA Rules; and 
• Create and adopt an enterprise-wide risk management plan. 

While OCR has obtained settlements in the past after its investigation of data breaches, these cases mark the first times it has done so in cases involving a ransomware attack and a phishing attack. With the increased risk of third-party litigation for HIPAA-regulated entities, now combined with the continued enforcement efforts of OCR, covered entities and business associates should be proactive in ensuring compliance with HIPAA. This includes reviewing all policies and procedures required by the Security and Privacy Rules and, perhaps most critically, completing an annual risk assessment of potential threats and vulnerabilities to PHI and implementing a risk management plan to address the risks found. Not only will these steps help prevent data security incidents from occurring, but they also will provide important factual defenses to claims that may come afterward by demonstrating proactive, good-faith efforts to protect PHI and comply with HIPAA.  

FMG’s Data Security, Privacy & Technology attorneys are available to help clients with their HIPAA compliance, including pre-incident review and revisions to its policies and procedures, assistance with risk assessment and risk management plans, and employee training programs. For more information on the topic and to find out how FMG can help, contact Gaia Linehan at gaia.linehan@fmglaw.com.