On July 1, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced that Heritage Valley Health System, a provider in Pennsylvania, Ohio and West Virginia, agreed to pay $950,000 to resolve potential violations of the HIPAA Security Rule. Heritage Valley’s alleged violations included failure to conduct a risk analysis to determine potential risks and vulnerabilities to electronic protected health information (ePHI), failure to implement a contingency plan to respond to emergencies, and failure to implement policies to allow only authorized users to access ePHI.
As part of the settlement, Heritage Valley must implement a corrective action plan that will be monitored by OCR for three years, and must resolve the potential violations identified by OCR.
Providers should take heed that if an organization is the subject of a bad actor’s cyberattack, the responsibility ultimately remains with the covered entity and its business associates to ensure that adequate safeguards and preventive measures are in place and to respond appropriately to each contingency. OCR investigates all HIPAA breaches affecting more than 500 individuals and some breaches affecting fewer, and providers should be proactive and ready to show OCR all of the measures they have taken to prevent such an attack.
