Privacy & Information Security Law Blog

On February 21, 2024, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) entered into a resolution agreement and corrective action plan with Green Ridge Behavioral Health LLC (“GRBH”) stemming from the organization’s failure to comply with the Privacy and Security Rules of the Health Insurance Portability and Accountability Act (“HIPAA”) and subsequent failure to protect against a 2019 ransomware attack that impacted the personal health information (“PHI”) of more than 14,000 patients. This marks the second such settlement with a HIPAA-regulated entity for violations that were discovered following a ransomware attack, according to HHS.

GRBH is a small behavioral health clinic located in Maryland, and provides psychiatric evaluations, medication management, and psychotherapy services to its patients. It filed a breach report with OCR in February 2019, which then investigated the organization’s data practices starting in December 2019. The investigation revealed that GRBH did not have appropriate security measures in place to protect PHI, did not conduct an analysis of risks and vulnerabilities to PHI, and did not maintain sufficient monitoring to prevent such an attack, including the implementation of policies and procedures to review system activity (e.g., audit logs, access reports, and security incident tracking reports). Finally, the investigation indicated that GRBH violated the HIPAA Privacy Rule by failing to meet the requirement not to use or disclose PHI except as permitted by the Rule.

The resolution agreement requires Green Ridge to pay $40,000 to OCR and enter into a Corrective Action Plan that obligates Green Ridge to, among other items:

• Implement a security management process, including a thorough risk analysis, which is to be provided to HHS for review within 60 days.
• Develop an enterprise-wide Risk Management Plan to address any risks and vulnerabilities identified, which is to be provided to HHS for review within 90 days of HHS approval of the risk analysis.
• Review, develop or revise its policies and procedures, which must contain “minimum content” as specified in the Corrective Action Plan, and provide them to HHS for review.
• Distribute policies and procedures to the workforce and collect compliance certifications from all members.
• Investigate all likely policy violations.
• Submit its training materials to HHS for approval and provide appropriate training to the workforce within 30 days of HHS approval.
• Review all business associate agreements and other vendor agreements within 60 days.

The Corrective Action Plan also requires GRBH to submit implementation and annual reports to HHS and comply with document retention requirements.

This enforcement action emphasizes the importance of strong security measures for organizations of any size that handle personal data, particularly sensitive personal data such as PHI, which are frequently targeted in ransomware attacks. It is also is notable in that it appears to be the second time in recent months that HHS has taken action against a healthcare provider in the wake of a ransomware attack.