Bryan County Ambulance Authority Pays $90,000 Penalty for Not Conducting a Risk Analysis
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has announced its 1st enforcement action under its risk analysis enforcement initiative. Bryan County Ambulance Authority in Oklahoma has paid a $90,000 financial penalty to resolve alleged violations of the HIPAA Rules. This is OCR’s 7th enforcement action stemming from an investigation of a ransomware-related data breach.
OCR Risk Analysis Enforcement Initiative
OCR’s new enforcement initiative is specifically aimed at identifying noncompliance with the risk analysis requirement of the HIPAA Security Rule. A risk analysis is one of four required implementation specifications of the Security Management Standard process of the HIPAA Security Rule, and states that HIPAA-covered entities and their business associates must “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information.”
The HIPAA text does not stipulate how frequently a risk analysis should be conducted but it should be conducted regularly and when necessary, such as following any material change to policies, procedures, or technology. Many HIPAA-regulated entities conduct a risk analysis biannually, annually, or every 2-3 years, unless any changes warrant a more frequent risk analysis.
Several other HIPAA provisions rely on the findings of the risk analysis – such as the required risk management implementation specification, and the implementation specifications related to data backups, authentication, and encryption. In order to conduct an accurate and thorough assessment of risks to ePHI, a HIPAA-regulated entity must know all locations where ePHI is stored, how ePHI is transmitted, and all systems that have the potential to touch ePHI.
OCR’s investigations of data breaches have revealed that a risk analysis is one of the most common areas where HIPAA-regulated entities are noncompliant, either by not having conducted a risk analysis or conducting an incomplete risk analysis.
OCR is due to publish a notice of proposed rulemaking before the end of the year to update the HIPAA Security Rule, and while the nature of the update has not yet been disclosed, OCR Director Melanie Fontes Rainer said there will be “substantive updates.” The risk analysis implementation specification is likely to be updated due to its importance.
$90,000 Penalty for Never Conducting a Risk Analysis
OCR’s latest enforcement action stemmed from a 2021 ransomware attack on Bryan County Ambulance Authority, an Oklahoma provider of emergency medical services. OCR was notified about a data breach in May 2022 that involved the ePHI of 14,273 patients. Bryan Couty Ambulance Authority identified the attack when files started to be encrypted on November 24, 2021.
One of the first things that OCR looks at when assessing HIPAA compliance after a data breach is whether a comprehensive and accurate risk analysis has been completed, and when that risk assessment was last completed. OCR found no evidence that Bryan Couty Ambulance Authority had ever conducted a risk analysis.
OCR notified Bryan Couty Ambulance Authority of its intention to impose a penalty and offered the opportunity to resolve the matter informally. The offer was accepted and the alleged violations were settled for $90,000. The settlement also includes a comprehensive corrective action plan to address all areas of noncompliance identified by OCR to ensure that Bryan Couty Ambulance Authority complies with the HIPAA Rules in the future.
In addition to conducting a comprehensive risk analysis, risks must be managed and reduced to a low and acceptable level, policies and procedures relating to HIPAA must be developed and implemented, and staff must receive training on those policies and procedures. Staff members must sign, manually or digitally, to confirm they have received the training, and staff members must not be provided with access to ePHI until that training has been received and confirmed with a signature. Bryan County Ambulance Authority will be monitored for compliance with the corrective action plan by OCR for 3 years.
“Failure to conduct a HIPAA Security Rule risk analysis leaves health care entities vulnerable to cyberattacks, such as ransomware. Knowing where your ePHI is held and the security measures in place to protect that information is essential for compliance with HIPAA,” said OCR Director Melanie Fontes Rainer. “OCR created the Risk Analysis Initiative to increase the number of completed investigations and highlight the need for more attention and better compliance with this Security Rule requirement.”
OCR also recommended that all HIPAA-regulated entities take steps to mitigate and prevent cyber threats by complying with the HIPAA Security Rule and implementing the cybersecurity requirements detailed in the voluntary HPH Sector Cybersecurity Performance Goals announced in January this year.