On April 25, 2025, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a settlement with a small New York neurology practice over a potential violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. The settlement resolves an OCR investigation following a ransomware attack that compromised the practice’s IT systems.
In December 2020, the practice reported to OCR that its entire network, including all electronic protected health information (ePHI), had been encrypted and rendered inaccessible by ransomware. The breach affected approximately 6,800 individuals, and the compromised data included names, clinical and health insurance information, demographic details, Social Security numbers, and driver’s license or state ID numbers.
OCR’s investigation found that the practice had failed to conduct an accurate and thorough risk analysis, as required by HIPAA, to identify potential vulnerabilities to the confidentiality, integrity, and availability of ePHI.
As part of the settlement, the practice agreed to pay $25,000 and implement a corrective action plan monitored by OCR for two years. Required steps under the plan include:
- Conducting an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the ePHI in its information systems;
- Developing and implementing a risk management plan to address and mitigate security risks and vulnerabilities identified in the risk analysis;
- Reviewing, and to the extent necessary, revising its written policies and procedures to comply with the HIPAA Rules; and
- Training staff on its HIPAA policies and procedures.
OCR recommends that healthcare providers, health plans, clearinghouses, and business associates that are covered by HIPAA implement the following steps to mitigate or prevent cyber-threats:
- Identify where ePHI is located in the organization, including how ePHI enters, flows through, and leaves the organization’s information systems.
- Integrate risk analysis and risk management into the organization’s business processes.
- Ensure that audit controls are in place to record and examine information system activity.
- Implement regular reviews of information system activity.
- Utilize mechanisms to authenticate information to ensure only authorized users are accessing ePHI.
- Encrypt ePHI in transit and at rest to guard against unauthorized access to ePHI when appropriate.
- Incorporate lessons learned from incidents into the organization’s overall security management process.
- Provide staff with regular HIPAA training that is specific to the organization and to the workforce members’ respective job duties.
“Effective cybersecurity requires proactively implementing the HIPAA Security Rule requirements before a breach or cybersecurity incident occurs,” said OCR Acting Director Anthony Archeval. “OCR urges healthcare entities to prioritize compliance with the HIPAA Security Rule risk analysis requirement.”
Compliance Perspective
Issue
OCR enforces the HIPAA Privacy, Security, and Breach Notification rules, which outline the responsibilities of covered entities—such as health plans, healthcare clearinghouses, and most healthcare providers—and their business associates to protect the privacy and security of protected health information (PHI). A critical component of the Security Rule is the Risk Analysis provision, which requires regulated organizations to conduct an accurate and thorough assessment of potential risks and vulnerabilities to the ePHI they maintain. This risk analysis forms the foundation of effective cybersecurity practices and is essential for compliance with the HIPAA Security Rule. Given that ransomware and hacking are the primary cyberthreats facing healthcare organizations, the Risk Analysis provision is a key requirement to protect ePHI.
Discussion Points
- Review and update HIPAA-related policies and procedures, including those addressing PHI and the Privacy, Security, and Breach Notification rules. Ensure they specifically include risk analysis requirements and are revised as new information, threats, or technologies emerge.
- Train all relevant staff on HIPAA regulations, including PHI protection and the requirements of the Privacy, Security, and Breach Notification rules. Include specific guidance on risk analysis. Provide refresher training at least annually, and whenever new threats or vulnerabilities are identified.
- Conduct regular audits to verify compliance with HIPAA policies and procedures. Assess staff understanding and competency, and confirm that risk analysis activities are being performed consistently and appropriately.
*This news alert has been prepared by Med-Net Concepts, Inc. for informational purposes only and is not intended to provide legal advice.*