HHS Reaches Its First HIPAA Settlement Agreement Involving a Ransomware Attack | Practical Law

HHS Reaches Its First HIPAA Settlement Agreement Involving a Ransomware Attack | Practical Law

The Department of Health and Human Services (HHS) has announced a settlement of potential Privacy and Security Rule violations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The settlement involved a Massachusetts-based medical management company (and HIPAA business associate (BA)). The BA must pay $100,000 to HHS and comply with a three-year corrective action plan.

HHS Reaches Its First HIPAA Settlement Agreement Involving a Ransomware Attack

Practical Law Legal Update w-041-2275 (Approx. 6 pages)

HHS Reaches Its First HIPAA Settlement Agreement Involving a Ransomware Attack

by Practical Law Employee Benefits & Executive Compensation
Published on 01 Nov 2023USA (National/Federal)
The Department of Health and Human Services (HHS) has announced a settlement of potential Privacy and Security Rule violations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The settlement involved a Massachusetts-based medical management company (and HIPAA business associate (BA)). The BA must pay $100,000 to HHS and comply with a three-year corrective action plan.
On October 31, 2023, HHS issued a settlement agreement with a Massachusetts-based medical management company (and HIPAA business associate (BA)) for potential violations of HIPAA's Privacy and Security Rules (see HIPAA Privacy, Security, and Breach Notification Toolkit) (Resolution Agreement (Oct. 31, 2023); see related press release). The BA provided services to HIPAA covered entities (CEs) that included payer credentialing and medical billing. Under the agreement, the BA must:
  • Pay $100,000 to resolve the action.
  • Comply with a three-year corrective action plan (CAP).
The settlement is HHS's first agreement involving a ransomware attack.

Ransomware Attack on Network Server

HHS began investigating the BA in April 2019 after receiving a breach notification from the BA indicating that its network server had been infected by Gandcrab ransomware in April 2017, resulting in unauthorized access to the network (see Practice Note, HIPAA Breach Notification Rules). The BA did not detect the attack until more than a year-and-a-half later—when the ransomware encrypted its data in December 2018. According to the breach notification, the ransomware attack affected the electronic protected health information (ePHI) of nearly 206,700 individuals on the BA's server.
HHS's investigation revealed that the BA potentially violated HIPAA's Security Rule by failing to:
HHS also cited the BA's unauthorized disclosure of the individuals' ePHI as a potential violation of the Privacy Rule (45 C.F.R. § 164.502(a)).
(For more information, see Practice Notes, HIPAA Security Rule: Overview and Administrative Safeguards, HIPAA Security Rule: Physical Safeguards, Technical Safeguards, and Other Issues, and HIPAA Privacy Rule.)

Corrective Action Plan Addresses Security Rule Standards

In addition to the $100,000 payment, the BA must comply with a three-year CAP that includes requirements relating to risk analysis and management, HIPAA policies and procedures, and training.

Risk Analysis, Inventory, and Risk Management Plan

Regarding the Security Rule's security management process standards, the CAP requires the BA to perform a risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of the ePHI in its possession. The BA must develop a complete inventory of all electronic equipment, data systems, facilities, and applications that contain or store ePHI. This inventory must be incorporated in the BA's risk analysis. The CAP also requires the BA to provide documentation regarding its existing security measures, including:
  • Network segmentation and infrastructure.
  • Vulnerability scanning.
  • Logging and alerts.
  • Patch management.
The risk analysis is subject to HHS's approval.
The BA also must create and adopt an enterprise-wide risk management plan to address and mitigate any security risks and vulnerabilities identified in the risk analysis. The risk management plan must:
  • Address the process and timeline for the BA's implementation, evaluation, and updating of its risk remediation activities.
  • Be approved by HHS and then timely implemented.

HIPAA Policies and Procedures: Minimum Content Requirements

The CAP also requires the BA to revise its HIPAA policies and procedures. As revised, the policies and procedures must address (at a minimum) the following issues under HIPAA's Security Rule:
The BA must submit its revised policies and procedures to HHS for approval. Once the policies and procedures are approved, the BA must:
  • Finalize and adopt the approved policies and procedures.
  • Timely distribute them to all workforce members who use or disclose ePHI.
The BA's revised policies and procedures must be distributed to newly hired workforce members (whose roles involve using or disclosing PHI) within 30 days of their start dates.

Training

Regarding training, the CAP requires the BA to:
  • Revise its existing HIPAA training materials, if necessary.
  • Submit the updated training materials to HHS for approval.
  • Timely provide training (and annual retraining) to workforce members who have access to PHI.
  • Obtain a certification, in written or electronic form and reflecting the training date, from each workforce member stating that the individual received the training.
For more information, see Standard Document, HIPAA Training for Group Health Plans: Presentation Materials.

Reportable Events and Other CAP Requirements

A section of the CAP addressing reportable events requires the BA to promptly investigate and report any information it receives about workforce members' noncompliance with the BA's HIPAA policies and procedures (as revised). The BA also must inform HHS of the sanctions it imposes on workforce members who do not comply with the policies and procedures.
The BA must satisfy additional requirements under the CAP, including submission of a training report and annual reports for the CAP's duration. The CAP also requires the BA to document its compliance with the CAP for six years.

Practical Impact

HHS describes ransomware as a kind of malware (malicious software) that blocks access to a user's data by encrypting the data—with a key controlled by the hacker that released the malware—until a ransom is paid. In recent years, ransomware has been the subject of a significant amount of HHS guidance (much of it informal) addressing the threats to HIPAA CEs and BAs posed by attacks such as the one in this latest settlement agreement (see Practice Note, HIPAA Security Rule: Overview and Administrative Safeguards: Ransomware and the Security Management Process Standard: Cybersecurity Defense). HHS's guidance has focused on Security Rule standards under which CEs and BAs must:
  • Conduct a risk analysis to identify threats and vulnerabilities to ePHI (for example, using vulnerability scans and penetration testing).
  • Adopt security measures to reduce or remediate risks that are identified.
Also, regarding training and reportable events (two components of the BA's CAP), HHS recently issued guidance addressing how workplace sanctions policies can improve CEs' and BAs' HIPAA compliance efforts.