Top of the World Ranch Treatment Center (TWRTC) paid $103,000 to the U.S. Department of Health and Human Services’ Office for Civil Rights to settled a potential HIPAA Security Rule violation and will implement required corrective actions.
HIPAA Security Rule Violation Identified
OCR determined that Top of the World Ranch Treatment Center, an Illinois substance use disorder treatment provider, did not conduct an accurate and thorough risk analysis as required under the HIPAA Security Rule’s administrative safeguard provisions. Covered entities and business associates need to conduct this safety measure to protect the integrity, confidentiality, and availability of electronic protected health information (ePHI).
Breach Report and Investigation Trigger
OCR investigated TWRTC after receiving a breach report filed in March 2023. The breach report indicated that a successful phishing attack enabled unauthorized access to electronic protected health information (ePHI) through a workforce member’s email account. The report indicated that the breach affected the ePHI of 1,980 patients.
OCR Enforcement Initiative and Settlement Terms
The settlement is the 11th enforcement action under OCR’s risk analysis initiative addressing alleged failures to comply with the risk analysis requirement of the HIPAA Security Rule. TWRTC agreed to pay a $103,000 financial penalty to resolve the investigation. The resolution agreement also requires TWRTC to implement a corrective action plan under the supervision of OCR for two years.
Corrective Action Requirements
The corrective action plan requires the covered entity to conduct and complete a documented risk analysis that accurately assesses the risks to the confidentiality, integrity, and availability of its ePHI. The provider must develop and implement a risk management plan to address and mitigate risks and vulnerabilities identified in the risk analysis. Written policies and procedures that comply with the HIPAA Security Rule, HIPAA Privacy Rule, and HIPAA Breach Notification Rule must be maintained and updated as necessary. Workforce members with access to ePHI must receive annual HIPAA training on the updated policies and procedures.
OCR Director Paula M. Stannard remarked that compliance with this HIPAA Security Rule is essential for protecting ePHI and addressing cybersecurity threats. OCR’s official settlement announcement outlines additional measures that covered entities and business associates may implement to address or prevent cyber-threats, including identifying where ePHI is located in an organization, conducting periodic risk analyses, and ensuring appropriate audit controls and authentication mechanisms.
