In a recent settlement with an accounting firm, the U.S. Department of Health and Human Services (“HHS”), Office for Civil Rights (“OCR”) reinforced its ongoing commitment to holding business associates accountable for the full array of requirements under the HIPAA Security Rule (the “Security Rule”), including the requirement to conduct a risk analysis of threats and vulnerabilities to electronic protected health information (“ePHI”). The settlement, which followed a ransomware attack that potentially compromised data of 170,000 individuals, is part of an ongoing initiative that has already produced 10 separate enforcement actions since the initiative began. As OCR Director Paula M. Stannard emphasized, “Completing an accurate and thorough risk analysis…is a foundational step to mitigate or prevent cyberattacks and breaches.”
What Happened
The accounting firm, which processed ePHI from its HIPAA-covered entity clients as part of providing financial services, was under investigation by OCR following a breach report related to a ransomware incident. The investigation determined that while the accounting firm had entered into business associate agreements with its covered entity clients as required under HIPAA, the firm failed to conduct an annual security risk analysis. HIPAA requires all business associates to assess potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI in their possession.
Why It Matters
This settlement marks the tenth settlement under OCR’s Risk Analysis Initiative, a string of recent enforcement actions focused on risk analyses as a central compliance obligation under the Security Rule. Recent settlements have ranged from $25,000 to $350,000 and many impose comprehensive corrective action plans in addition to settlement amounts, signaling that OCR is treating risk analysis as a cornerstone requirement, not an optional exercise.
Key Compliance Lessons
While most business associates implement baseline measures such as entering into business associate agreements and maintaining basic security policies, many do not adhere to the broader swath of Security Rule requirements, including annual risk assessments. This enforcement action is a reminder that business associates must go beyond baseline measures to comply with HIPAA, protect ePHI, and mitigate scrutiny. Steps to consider include:
- Confirming your organization conducts and documents annual HIPAA risk assessments that (i) identify external sources of ePHI and where ePHI is stored, (ii) assess current security measures and who has access, (iii) identify potential threats and vulnerabilities, and (iv) evaluate the potential impact of a compromise
- Completing an inventory of all systems and devices that store or transmit ePHI
- Updating and distributing policies and procedures on access controls and system monitoring
- Providing training and certifications for all workforce members
- Reviewing incident response plans and cyber insurance coverage for adequacy
Bottom Line
As enforcement activities continue to trend in this direction, business associates must boost their compliance with risk assessment requirements to mitigate regulatory scrutiny.
