It’s Spooky Season: HHS OCR Finalizes Two Investigations into Ransomware Incidents, Providing Nightmare Material for Acquiring Entities

Before this year, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) resolved 70 breach investigations from which fines or civil monetary penalties were secured. Of those investigations, only one was triggered by a ransomware incident. With its announcements in September and October of two new resolutions, OCR has increased its ransomware-related enforcement activities to five. The resolution agreement and the $250,000 resolution amount HHS OCR announced on September 26, 2024, were run of the mill with respect to the violations identified. HHS OCR found that Cascade Eye and Skin Centers P.C. (Cascade), like many other recent enforcement action targets, failed to conduct an enterprise-wide risk analysis as required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.

Key Takeaways:

• Acquiring entities must be diligent about shoring up any HIPAA gaps on the part of the acquired entity. Don't just ask for all business association agreements (BAAs); understand the vendors touching protected health information (PHI), and execute new BAAs if necessary.
• Failure to integrate with the acquiring entity's systems does not mean the acquiring entity can be hands off with the acquired entity's existing security controls. The acquired entity's security issues become the acquiring entity's legal liability.
• Covered entities should be auditing whether they have recognized security practices in place. For the first time, OCR has "shown its work," reducing the civil monetary penalty (CMP) by 20 percent due to sufficient evidence of recognized security practices.

Issue Spotting

On October 3, OCR announced its enforcement action and assessment of a $240,000 CMP against Providence Medical Institute (PMI), which involved notably unique aspects. As with Cascade, HHS OCR commenced its investigation of the Southern California-based healthcare provider following the compromise of PHI by ransomware threat actors. That is where the similarities end.

The Notice of Proposed Determination (NPD) provides a maze of facts that, while somewhat common in the healthcare industry, have not been addressed by HHS OCR in this context before. The circumstances would make for excellent law school exam questions, as framed below.

Continuing the law school exam flashback theme (which, coincidentally, qualifies as additional nightmare material), if HHS OCR were the gunner law student, the following would be its answer (taken from the NPD).

Party Responsible:

1. Because COS was acquired by PMI, the security of COS's IT infrastructure and PHI and COS's HIPAA compliance became the responsibility of PMI. The fact that COS remained on pre-acquisition systems does not exculpate PMI. (Author's note: This was not specifically addressed in the NPD. However, the NPD discusses the various deficiencies as failures of PMI directly rather than PMI as legally responsible for COS's failures.)

Violations:

1. PMI violated HIPAA by failing to sign a business associate agreement with COS's IT vendor after the acquisition. "[A]t the time of the breach, COS's IT vendor, CSnC, provided data management services for COS's IT network, which included its eClinicalWorks EMR servers. The services provided by CSnC required COS to disclose its ePHI to CSnC. Accordingly, the service relationship PMI had with CSnC, specifically CSnC's management and maintenance of COS's ePHI, makes it a business associate under the regulations."
2. COS's technical deficiencies identified by PMI constitute a violation of the security rule. Specifically, "PMI did not implement the required technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights … in violation of C.F.R. § 164.312(a)(1))."

Penalties:

1. With respect to PMI's failure to execute a BAA with CSnC, PMI knew or should have known that this was a HIPAA violation, and thus the appropriate penalty tier for this violation is Tier 2 - Reasonable Cause ($1,000-$50,000 per violation, with an annual cap of $100,000). The violation is calculated from "6 years prior to the NPD date, April 1, 2018. The penalty calculation ends on June 14, 2018, which is the day prior to execution of a Business Associate Agreement with CSnC. … Calendar Year 2018: 75 days from April 1, 2018, to June 14, 2018, at $1,379 per day with an annual cap of $100,000 … . Total CMP: $103,425, capped at $100,000."
2. With respect to the security risks identified, PMI knew or should have known that COS was not in compliance with the HIPAA Security Rule, and thus the appropriate penalty tier for this violation is Tier 2 - Reasonable Cause ($1,000-$50,000 per violation with an annual cap of $100,000). OCR should "begin calculations for this proposed violation 6 years prior to the NPD date, April 1, 2018. The penalty calculation ends on May 22, 2019, which is the day prior to PMI completing its integration of COS into PMI's IT infrastructure and achieving substantial compliance with this Security Rule standard. … Calendar Year 2018: 275 days from April 1, 2018, to December 31, 2018, at $1,379 per day (Total CMP of $379,225, capped at $100,000). … Calendar Year 2019: 142 days from January 1, 2019, to May 22, 2019, at $1,379 per day (Total CMP of $195,818, capped at $100,000). … Total CMP: $200,000."
3. PMI's ability to show it had recognized security practices (RSPs) "in place for the previous 12 months is in alignment with Section 405(d) of the Cybersecurity Act of 2015 (CSA)." Therefore, OCR should apply a 20 percent reduction of the CMP based on PMI's sufficient implementation of RSPs.

This resolution offers entities a road map for easily addressed issues after acquisition and a tangible return on investment for focusing on recognized security practices audits.