On October 31, 2024, OCR announced a settlement with Bryan County Ambulance Authority (BCAA), an emergency medical services entity, for a potential HIPAA violation arising from a 2021 ransomware attack that resulted in the encryption of files on BCAA’s network. The settlement marks the first enforcement action in OCR’s Risk Analysis Initiative.
The Risk Analysis Initiative was created to focus certain investigations on compliance with HIPAA’s Security Rule Risk Analysis provision, which requires covered entities to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by the organization.
After BCAA reported the breach, OCR launched an investigation that determined BCAA had failed to conduct a compliant risk analysis to determine the potential risks and vulnerabilities to ePHI in BCAA’s systems.
Under a settlement agreement, BCAA agreed to pay a $90,000 fine and implement a 3 year corrective action plan to be monitored by OCR. Under the corrective action plan, BCAA will be required to:
- Conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI;
- Implement a risk management plan to address and mitigate security risks and vulnerabilities identified in the risk analysis;
- Develop, maintain, and revise (when necessary) written policies and procedures to comply with the HIPAA security rule
- Training its workforce on HIPAA policies and procedures
The settlement highlights the importance of conducting periodic security risk analysis to comply with HIPAA. According to OCR Director Melanie Fontes Rainer “Failure to conduct a HIPAA Security Rule risk analysis leaves healthcare entities vulnerable to cyberattacks, such as ransomware. Knowing where your ePHI is held and the security measures in place to protect that information is essential for compliance with HIPAA.”