The U.S. Department of Health and Human Services (HHS) entered into a settlement agreement on October 31, 2023 with a Massachusetts-based medical management company. The medical management company was a business associate of its clients, providing credentialing and medical billing. The incident resulted from a ransomware attack. This settlement marks HHS's first agreement involving a ransomware attack, emphasizing the growing importance of cybersecurity.
Key Points of the Settlement:
- Financial Settlement: The company is required to pay $100,000 to resolve the potential violations, signaling the severity of the consequences.
- Three-Year Corrective Action Plan (CAP): In addition to the financial penalty, the BA must comply with a comprehensive three-year CAP, addressing key aspects of risk analysis, HIPAA policies, and employee training.
Ransomware Attack Overview:
The HHS investigation began in April 2019, triggered by a breach notification from the BA. The network server had fallen victim to a Gandcrab ransomware attack in April 2017, leading to unauthorized access to electronic protected health information of over 206,000 individuals.
Security Rule Violations:
HHS's investigation found that the business associate violated the HIPAA Security rule as it did not have
- Accurate risk analysis.
- Adequate procedures for reviewing information system activity.
- Policies and procedures compliant with the Security Rule.
Corrective Action Plan Highlights:
- Risk Analysis and Management: The CAP mandates a thorough risk analysis of potential vulnerabilities related to ePHI, incorporating a complete inventory of electronic equipment and data systems.
- HIPAA Policies and Procedures: The BA must revise and submit updated policies and procedures, addressing information system activity review and security awareness and training.
- Training: The CAP requires revisions to existing HIPAA training materials, timely training for employees with access to PHI, and obtaining certifications of training completion.
- Reportable Events and Compliance Documentation: The BA must promptly investigate and report any noncompliance with revised HIPAA policies. Additionally, it must maintain documentation of compliance with the CAP for six years.
Practical Impact and Cybersecurity Awareness:
HHS's emphasis on ransomware as a significant threat underscores the need for robust cybersecurity measures. HR professionals must prioritize risk analysis, security measures adoption, and comprehensive employee training to enhance HIPAA compliance.
Benefit Allocation Systems (BAS) provides best-in-class, online solutions for: Employee Benefits Enrollment; COBRA; Flexible Spending Accounts (FSAs); Health Reimbursement Accounts (HRAs); Leave of Absence Premium Billing (LOA); Affordable Care Act Record Keeping, Compliance & IRS Reporting (ACA); Group Insurance Premium Billing; Property & Casualty Premium Billing; and Payroll Integration.
MyEnroll360 can Integrate with any insurance carrier for enrollment eligibility management (e.g., Blue Cross, Blue Shield, Aetna, United Health Care, Kaiser, CIGNA and many others), and integrate with any payroll system for enrollment deduction management (e.g., Workday, ADP, Paylocity, PayCor, UKG, and many others).
