On January 7, 2025, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced an $80,000 settlement with Elgon, Inc. (Elgon), a HIPAA business associate providing electronic medical record and billing support services, and a $90,000 settlement with Virtual Private Network Solutions, LLC (VPN Solutions), a business associate that provides data hosting and cloud services. Both settlements followed ransomware attacks on the entities and corresponding breach notifications to OCR.
Continued enforcement under OCR’s Risk Analysis Initiative
In its investigations of Elgon and VPN Solutions, OCR found that each entity lacked an accurate and thorough security risk analysis. These settlements mark the second and third enforcement actions under OCR’s Risk Analysis Initiative. The Initiative was created to emphasize the importance of conducting risk analyses and to increase “the number of completed investigations.” While the investigation and resolution of other recent ransomware enforcement actions tends to be a multi-year process, for Elgon, the period from OCR breach notification (June 2023) to resolution agreement execution (November 2024) is only about a year and a half.
Beyond the financial settlement
Similar to OCR’s first ransomware settlement, which also involved a business associate providing billing services who failed to conduct a compliant risk analysis, Elgon’s resolution agreement imposes a three (3)- year corrective action plan (CAP), while VPN Solutions’ resolution agreement requires a one (1) year CAP. In addition to allowing OCR to monitor each entity’s compliance with HIPAA, the CAPs outline how Elgon and VPN Solutions will safeguard ePHI. For example, Elgon’s CAP requires it to:
- Evaluate and revise its risk analysis;
- Develop an enterprise-wide risk management plan to account for and mitigate security risks and vulnerabilities identified in its updated risk analysis;
- As needed, assess and update its policies and procedures to ensure compliance with the HIPAA Privacy and Security Rules, and distribute such policies and procedures to its workforce; and
- Train workforce members on HIPAA policies and procedures.
While VPN Solutions’ CAP is similar to the CAP imposed on Elgon, VPN Solutions is required to provide OCR with a breach risk assessment of its ransomware attack, as well as provide OCR with evidence of appropriate breach notification to affected covered entities.
Vendor contracting
As OCR continues to investigate ransomware attacks and emphasize the need for comprehensive, enterprise-wide security risk analyses, these enforcement actions reiterate that HIPAA-regulated entities must conduct thorough and accurate risk analyses to identify factors that could adversely impact the confidentiality, integrity, and availability of electronic protected health information (ePHI). It also reminds covered entities to carefully consider arrangements with vendors who will access or receive protected health information (PHI). In addition to analyzing a potential vendor’s security posture, covered entities should also think through what happens in a breach scenario: Will the business associate notify OCR (as was the case for Elgon and VPN Solutions) and impacted individuals? How and when will the vendor notify the covered entity of a security incident or breach? These are just some questions to contemplate and terms to document in a business associate agreement.