Federal Health & Welfare Updates

HHS Announces Settlement for Potential HIPAA Violations

July 16, 2024

On July 1, 2024, the OCR announced that it settled an investigation into Heritage Valley Health System (HVHS), a healthcare provider, following a ransomware attack that resulted in a breach of PHI. OCR alleged that HVHS failed to take necessary steps required by HIPAA to reduce the risk of a ransomware attack. 

OCR began an investigation into HVHS on October 31, 2017, after media reports of the provider experiencing a data breach. As a result of this investigation, OCR determined that HVHS failed to complete the following HIPAA requirements: 

  • Conduct a compliant risk analysis to determine the potential risks and vulnerabilities to electronic protected health information (ePHI) in its systems.  
  • Implement a contingency plan to respond to emergencies, like a ransomware attack, that damage systems that contain ePHI. 
  • Implement policies and procedures to allow only authorized users access to ePHI. 

Heritage Valley agreed to pay $950,000 to the federal government and implement a corrective action plan to end the investigation. The plan requires HVHS to satisfy the requirements they failed to meet and train their workforce on their HIPAA policies and procedures. 

Employers should be aware of the risks associated with failing to meet HIPAA privacy requirements. OCR recommends that healthcare providers, health plans, clearinghouses, and business associates covered by HIPAA take the following steps to mitigate or prevent cyber threats: 

  • Review all vendor and contractor relationships to ensure business associate agreements are in place as appropriate and address breach/security incident obligations. 
  • Integrate risk analysis and risk management into business processes to be conducted regularly and when new technologies and business operations are planned.
  • Ensure audit controls are in place to record and examine information system activity. 
  • Implement regular review of information system activity. 
  • Utilize multifactor authentication to ensure only authorized users are accessing ePHI. 
  • Encrypt ePHI to guard against unauthorized access to ePHI. 
  • Incorporate lessons learned from incidents into the overall security management process. 
  • Provide training specific to organization and job responsibilities on a regular basis and reinforce workforce members’ critical roles in protecting privacy and security. 

Heritage Valley Health System Resolution Agreement and Corrective Action Plan

OCR Press Release

PPI Benefit Solutions does not provide legal or tax advice. Compliance, regulatory and related content is for general informational purposes and is not guaranteed to be accurate or complete. You should consult an attorney or tax professional regarding the application or potential implications of laws, regulations or policies to your specific circumstances.

Never miss an issue.

Sign up to have it delivered straight to your inbox.

Sign up