On July 1, 2024, the U.S. Department of Health and Human Services (HHS) through its Office for Civil Rights (OCR), reached an agreement with Heritage Valley Health System (Heritage Valley) concerning possible violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule after a widespread data security incident in October 2017 was experienced by the health system including its satellite and community locations. Heritage Valley agrees to pay $950,000 and establish a ‘Corrective Action Plan (CAP)’ to resolve and correct the violations as part of the resolution. Additionally, HHS will closely monitor Heritage Valley on its CAP for a period of three years, as it implements several measures to address possible violations of the HIPAA Security Rule and safeguard electronically Protected Health Information (PHI). The CAP involves ensuring the utmost protection of electronic health information, requiring an accurate and thorough risk analysis. This analysis will identify potential risks and vulnerabilities to the confidentiality, integrity, and availability of the information. Following the identification of these risks, a comprehensive risk management plan must be implemented to address and mitigate these security risks and vulnerabilities. Furthermore, it is crucial to regularly review, develop, maintain, and revise, as necessary, written policies and procedures to comply with the HIPAA Rules. Lastly, to ensure the effective implementation of these policies and procedures, it is essential to train the workforce on these HIPAA policies and procedures. This holistic approach will ensure the safeguarding of sensitive health information and compliance with regulatory standards.
Heritage Valley Health System (Heritage Valley), based in Sewickley, Pennsylvania, is a leading healthcare institution in the United States. In partnership with over 3,600 employees and more than 600 physicians, Heritage Valley provides high-quality healthcare services focused on patient-centered care and cutting-edge medical technology at its three hospitals namely, Heritage Valley Beaver, Heritage Valley Kennedy and Heritage Valley Sewickley. It also operates in 50 physician offices, with satellite and community facilities in Allegheny, Beaver, Butler, and Lawrence counties, in Pennsylvania, eastern Ohio and the panhandle of West Virginia.
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) enforces federal civil rights laws, conscience and religious freedom laws, the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules, and the Patient Safety Act and Rule, which together protect the fundamental rights of nondiscrimination, conscience, religious freedom, and health information privacy of individuals in the United States. The OCR regularly performs assessments to verify adherence to the Privacy, Security, and Breach Notification Rules. If instances of PHI breaches are found, corrective action plans and financial penalties may be enforced by the Office for Civil Rights. The HIPAA Act was passed in 1996 and covers health care providers, health plans, clearinghouses, and business associates. Its main objective is to allow workers to transfer health insurance coverage when changing jobs, prevent discrimination against individuals with pre-existing health conditions, and guarantee renewal of coverage in multi-employer health insurance plans.
Following the resolution, Melanie Fontes Rainer, OCR Director, said, “Hacking and ransomware are the most common type of cyber attacks within the health care sector. Failure to implement the HIPAA Security Rule requirements leaves health care entities vulnerable and makes them attractive targets to cyber criminals. Safeguarding patient protected health information protects privacy and ensures continuity of care, which is our top priority. We remind and urge health care entities to protect their records systems and patients from cyberattacks.”
Leave a Reply