The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) has announced a settlement with Cascade Eye and Skin Centers, P.C., a privately-owned health care provider in Washington, over potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. This follows an investigation into a ransomware attack on the provider.

Since 2018, OCR has seen a significant rise in large breaches involving ransomware attacks, increasing by 264%. “Cybercriminals continue to target the health care sector with ransomware attacks. Health care entities that do not thoroughly assess the risks to electronic protected health information and regularly review the activity within their electronic health record system leave themselves vulnerable to attack, and expose their patients to unnecessary risks of harm,” said OCR Director Melanie Fontes Rainer. She emphasized the importance of protecting electronic protected health information for both privacy and national security reasons.

OCR is responsible for enforcing HIPAA Privacy, Security, and Breach Notification Rules. These rules require health plans, health care clearinghouses, most health care providers, and their business associates to protect the privacy and security of protected health information (PHI). The HIPAA Security Rule sets national standards for safeguarding electronic personal health information.

The investigation into Cascade Eye and Skin Centers revealed that approximately 291,000 files containing electronic PHI were affected by the ransomware attack. OCR identified multiple potential violations of the HIPAA Security Rule by Cascade Eye and Skin Centers. These included failures to conduct a compliant risk analysis to determine potential risks to ePHI and insufficient monitoring of its health information systems’ activity.

Under the settlement terms, Cascade Eye and Skin Centers will pay $250,000 to OCR and implement a corrective action plan aimed at securing protected health information. OCR will monitor this plan for two years. The corrective actions include conducting thorough risk analyses, implementing risk management plans, developing processes for reviewing records of information system activity, creating policies for responding to emergencies affecting ePHI systems, assigning unique identifiers for users accessing ePHI systems, and ensuring compliance with HIPAA Privacy and Security Rules.

OCR also provided recommendations for other healthcare entities covered by HIPAA:

- Review vendor relationships to ensure proper business associate agreements are in place.

- Integrate regular risk analysis into business processes.

- Ensure audit controls are in place.

- Regularly review information system activities.

- Utilize multi-factor authentication.

- Encrypt ePHI.

- Incorporate lessons from incidents into security management processes.

- Provide job-specific training on privacy and security regularly.

Further details about the resolution agreement can be found on HHS's website. Guidance on HIPAA rules is also available online.

Individuals who believe their or another person’s health information privacy or civil rights have been violated can file a complaint with OCR through its website.