The Department of Health and Human Services’ Office for Civil Rights (OCR) reported its 7th HIPAA enforcement action as part of its HIPAA risk analysis enforcement initiative. The settlement of an alleged HIPAA risk analysis violation involved the Guam hospital authority paying $25,000.
OCR started the enforcement initiative after identifying the risk analysis implementation specification as the most commonly violated HIPAA Security Rule in its breach investigations and HIPAA audits. Risk analysis is a basic HIPAA requirement to avoid hacking incidents and ransomware attacks. It is the first step in determining and applying safeguards to adhere to the HIPAA Security Rule. When the risk analysis is not accomplished, or when it is not detailed and appropriate, most likely risks will not be identified, and malicious actors can easily exploit the vulnerabilities and gain access to ePHI.
The risk analysis is an administrative safety measure required by the HIPAA Security Rule. All HIPAA-covered entities or business associates should perform a risk analysis as stated in § 164.308(a)(1)(ii)(A). The recognized risks and vulnerabilities should subsequently undergo a risk management process, including the application of security measures enough to minimize risks and vulnerabilities to an acceptable and proper level.
OCR started investigating a public hospital, Guam Memorial Hospital Authority (GMHA), based in the U.S. territory of Guam, because of a complaint concerning a ransomware attack in December 2018. During the investigation, another complaint was filed regarding a data breach where unauthorized former employees accessed systems that contain the electronic protected health information (ePHI) of patients after their employment had concluded. OCR’s investigation confirmed the compromise of the ePHI of about 5,000 patients during the ransomware attack and unauthorized access by two former employees in March 2023. The two breaches are not yet posted on the OCR breach website.
OCR confirmed that GMHA did not perform an accurate and comprehensive risk analysis, and the present enforcement initiative warrants a financial penalty for HIPAA violation. GMHA consented to resolve the alleged HIPAA violation by paying a $25,000 financial penalty and following a corrective action plan to handle all possible areas of HIPAA Rules noncompliance. GMHA will be supervised for three years with regard to its compliance with the corrective action plan.
The corrective action plan has several requirements. GMHA must perform a detailed, company-wide risk analysis and develop a risk management plan. The plan must be implemented to manage any determined risks to a low and acceptable level. Processes need to be put in place for recording and checking logs of activity in data systems that contain ePHI. Policies and procedures need to be created, enforced, and maintained to ensure HIPAA Rules compliance. GMHA should enhance its security and HIPAA training programs, and all employees must undergo training and confirm that the training was received. GMHA should likewise check access credentials and be sure to terminate unauthorized accounts and privileges to prevent unapproved ePHI access. GMHA needs to conduct breach risk assessments for the ransomware attack in December 2018 and the unauthorized access incidents in March 2023. The breach reports should be submitted to OCR, and notification letters should be issued to the impacted persons.
