HHS OCR Issues Its Most Recent HIPAA Annual Report and a Second Ransomware Settlement

Bruce D. Armon, Alyson M. Leone

On February 14, 2024, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) issued two reports to Congress as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. The reports are helpful to health care providers (and all covered entities) and business associates to understand OCR’s enforcement actions in a recent calendar year and to highlight areas of interest to OCR and provide an important reminder for continued HIPAA compliance and the potential consequences for resolving alleged and actual HIPAA violations. 

What You Need to Know:

  • A behavioral health practice discovered its network server was infected with ransomware resulting in the encryption of its files and the electronic health records of 14,000 patients and ultimately resulting in a $40,000 settlement and three-year corrective action plan with OCR.
  • Conducting a risk analysis, ensuring controls are in place, encryption and regular monitoring of activity are among the best practices to mitigate violations and protect electronic PHI. 
  • OCR’s investigation discovered Green Ridge Behavioral Health, LLC failed to have in place an analysis to determine risks, implement security measures, and have sufficient monitoring to protect against cyber-attacks.

In a not-so-subtle reminder to Congress, HHS OCR notes in the Executive Summary Overview of the 2022 HIPAA Privacy, Security, and Breach Notification Rule Compliance Report that, “There have been significant increases in HIPAA complaints received (17 percent increase from 2018 to 2022) and large breaches reported (107 percent increase from 2018 to 2022), without any increases in appropriations during that same time period.”

The 2022 report notes that OCR received 30,435 new complaints, resolved 32,250 complaints, resolved 17 complaint investigations with Resolution Agreements and Corrective Action Plans (RA/CAPs) and monetary settlements totaling $802,500, one complaint investigation with a $100,000 civil money penalty, and completed 846 compliance reviews resulting in a corrective action or civil money penalty in 80 percent (674) of these investigations. Three compliance reviews were resolved with RA/CAPs and payments totaling $2,425,640.

The 2022 report includes a helpful table tracking complaints received, complaints reviewed, and the number of reported breaches affecting more than or less than 500 individuals. Finally, the 2022 report lists summaries of the Resolution Agreements and Civil Money Penalties issued by HHS OCR in 2022.

The Breaches of Unsecured Protected Health Information Report identifies the number and nature of breaches of unsecured protected health information (PHI) that were reported to HHS OCR in 2022 and the actions taken in response to those breaches. This report also identifies ways for covered entities to improve compliance with the HIPAA Security Rule requirements, including:

  • risk analysis and risk management;
  • information system activity review;
  • audit controls;
  • response and reporting; and
  • person or entity authentication.

Importantly, hacking/IT incidents comprised 77 percent of the reported breaches in 2022, with 58 percent of reported large breaches related to network servers.

In light of these two HHS OCR reports, it should come as no surprise that on February 22, 2024, OCR announced a $40,000 settlement with Green Ridge Behavioral Health, LLC (“GRBH”), a behavioral health practice located in Maryland relating to a ransomware attack that affected the PHI of 14,000 individuals. Notably, this is the second OCR settlement following a ransomware attack, with the first one announced in October 2023. Ransomware is a type of malicious software (malware) designed to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker who deployed the malware, until a ransom is paid.

GRBH filed a breach report with OCR in February 2019. OCR’s investigation noted that GRBH did not have in place a process to determine the potential risks and vulnerabilities to its PHI. OCR also notes that GRBH lacked security measures to reduce risks and insufficiently monitored its health information systems’ activity to protect against a cyber-attack.

Pursuant to the settlement agreement, in addition to paying $40,000, OCR will monitor GRBH for three years to ensure HIPAA compliance and implement a CAP to protect GRBH’s security of PHI. 

The two most recent HHS OCR reports provide helpful information explaining OCR’s case volume and enforcement activities over a twelve-month period. The GBRH settlement underscores the continuing threat posed by ransomware attacks and the critical importance of ongoing HIPAA Security Rule and Privacy Rule compliance activities. 

Saul Ewing attorneys regularly assist covered entities and business associates with HIPAA compliance efforts including drafting and updating policies and procedures, workforce training, and breach responses.

If you have questions about this alert, please contact one of the authors or your regular Saul Ewing contact.

Bruce Armon Headshot
Alyson Leone