On July 1, 2024, the US Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a $950,000 settlement with Heritage Valley Health System (Heritage Valley), marking OCR’s third ever settlement for alleged HIPAA Security Rule violations discovered after a ransomware attack. Heritage Valley, a health system providing services in Pennsylvania, Ohio, and West Virginia, experienced the ransomware attack in June 2017. Following media reports of the incident, OCR initiated a compliance review in October 2017 that concluded nearly seven years later with this settlement.
As the result of its investigation into Heritage Valley’s compliance with the HIPAA Security Rule, OCR identified several potential violations, including the failure to conduct risk analyses to identify potential risks and vulnerabilities to electronic protected health information (ePHI) in its systems and the failure to implement a contingency plan to respond to ransomware attacks and other emergencies. Additionally, OCR found that Heritage Valley failed to adopt policies and procedures that would limit access to ePHI solely to authorized users.
As part of the resolution agreement, Heritage Valley agreed to pay a monetary settlement of $950,000. Similar to OCR’s first ransomware settlement, the resolution agreement includes a three-year corrective action plan (CAP), which expands upon the two-year CAP that is more typical in OCR enforcement actions. Heritage Valley’s CAP will permit OCR to monitor its progress in conducting a thorough risk analysis; implementing a risk management plan that addresses and mitigates security risks and vulnerabilities identified in the risk analysis; developing and implementing policies and procedures that comply with the HIPAA Security Rule, specifically referencing seven particular HIPAA Security Rule topics; and training its workforce on Heritage Valley’s HIPAA policies and procedures.
In this latest HIPAA enforcement action, OCR notes that reported large breaches involving ransomware attacks increased by 264% over the past six years and that ransomware is one of the primary cyber threats to healthcare organizations. In its release describing the settlement with Heritage Valley, OCR provided several recommendations to mitigate and prevent cyber threats, one of which encourages the provision of regular training of the entity’s workforce to reinforce their role in protecting the privacy and security of health data. The CAP also provides insight into what OCR considers to be best practices for HIPAA training. The CAP requires training to be conducted at least annually. Workforce members must certify that they received the training, and the certification should state the date of the training. The CAP requires that the health system retain the course materials, and that the training materials are reviewed at least annually and updated to reflect (1) changes in laws or HHS guidance, (2) any issues discovered during an audit or another review, and (3) any other developments relevant to the HIPAA training. OCR also requires the health system to provide OCR with the length of the training sessions and a schedule of when the system held the training(s).
Heath systems and all entities regulated under HIPAA should not only maintain a robust HIPAA compliance program, but also ensure that their workforce understands the nuances of these compliance obligations through training. Adhering to the training modification, cadence, and documentation requirements articulated in the Heritage Valley CAP will allow a HIPAA-regulated entity to not only provide in-depth training to its workforce, but to easily detail to OCR the specifics of such training if audited or investigated.