Risk Analysis Failure Results in $10,000 HIPAA Penalty

The HHS Office for Civil Rights (OCR) and Northeast Surgical Group, P.C. have agreed to a settlement to resolve an alleged violation of the risk analysis implementation specification of the HIPAA Security Rule. This is OCR’s 4th enforcement action under OCR’s risk analysis enforcement initiative and the 10th ransomware-related investigation to result in a financial penalty.

Northeast Surgical Group, a provider of surgical services in Michigan, reported a ransomware-related data breach to OCR on March 6, 2023, that potentially involved unauthorized access to the protected health information of all 15,298 of its patients. As with all large data breaches, OCR launched an investigation to determine if the data breach was a consequence of a HIPAA violation. OCR is currently focused on identifying noncompliance with the risk analysis implementation specification of the HIPAA Security Rule due to its importance for cybersecurity and the frequency with which OCR identifies risk analysis violations in its investigations and HIPAA audits. These enforcement actions highlight the need for greater attention to be paid to conducting a risk analysis.

The risk analysis is vital for security and is not an item that can be hurried to be marked off a HIPAA compliance checklist. It must be comprehensive and accurate, which means a regulated entity must first identify all ePHI within their environment, all external sources of ePHI, and all human, natural, and environmental threats to information systems containing ePHI. Those threats must be identified, assessed, prioritized, and subjected to a risk management plan. If risks are not identified through a risk analysis, they are likely to remain unaddressed and can be exploited by malicious actors to gain access to ePHI.

OCR determined that Northeast Surgical Group had failed to conduct an accurate and thorough risk analysis and a $10,000 was negotiated. Northeast Surgical Group is also required to implement a corrective action plan that includes conducting a HIPAA-compliant risk analysis, developing a plan to reduce any identified risks and vulnerabilities to an acceptable level, developing and revising policies and procedures to ensure compliance with the HIPAA Rules, and providing training to its workforce on the new policies and procedures.

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/