The Department of Health and Human Services’ Office for Civil Rights (“OCR”) recently announced two HIPAA enforcement actions involving failures to safeguard electronic protected health information (“ePHI”) in violation of the HIPAA Security Rule. Both cases stem from investigations into incidents that exposed sensitive health data, underscoring ongoing federal scrutiny of entities that fail to implement core compliance measures such as HIPAA risk analyses, system activity reviews and workforce access controls, into their security programs.

Northeast Radiology, P.C. (“NERAD”) agreed to a $350,000 settlement after OCR launched an investigation into the company’s use of a medical imaging storage system (“PACS”) that lacked proper access controls. The investigation stemmed from a March 2020 breach report in which NERAD disclosed that, between April 2019 and January 2020, unauthorized individuals had accessed radiology images stored on its PACS server containing unsecured ePHI, gaining access to the ePHI of nearly 300,000 individuals. OCR found that NERAD had not conducted a comprehensive HIPAA risk analysis, failed to implement procedures to monitor access to ePHI, and lacked adequate policies to safeguard sensitive data. 

In addition to the monetary settlement, NERAD agreed to a two-year corrective action plan that requires it to conduct a thorough HIPAA risk analysis to assess potential threats to the confidentiality, integrity, and availability of ePHI; implement a risk management plan to address identified security vulnerabilities; establish a process for regularly reviewing system activity, including audit logs and access reports; maintain and update written HIPAA policies and procedures; and enhance its HIPAA and security training program for all workforce members with access to PHI.

Guam Memorial Hospital Authority (“GMHA”) reached a $25,000 settlement following OCR’s investigation into two separate security incidents: a ransomware attack in December 2019 and a 2023 breach involving hackers who retained access to ePHI. Through its investigation, OCR determined that GMHA had failed to conduct an accurate and thorough HIPAA risk analysis to determine the potential risks and vulnerabilities to ePHI held in its systems. 

As part of a three-year corrective action plan, GMHA is required to conduct a comprehensive HIPAA risk analysis to identify risks to the confidentiality, integrity and availability of its ePHI; implement a risk management plan to mitigate those risks; develop a process for regularly reviewing system activity, such as audit logs and access reports; and adopt written policies and procedures to comply with the HIPAA Privacy, Security and Breach Notification Rules. GMHA also must strengthen its HIPAA training program, review and manage access credentials to ePHI, and conduct breach risk assessments, and provide supporting documentation to OCR.

Together, these enforcement actions reinforce OCR’s expectation that covered entities and business associates adopt and maintain robust, enterprise-wide security programs capable of preventing, detecting and responding to threats that compromise ePHI.