On September 23, 2020, the Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS) announced that CHSPSC LLC, (CHSPSC) agreed to pay $2,300,000 and adopt a Corrective Action Plan (CAP) to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. The potential violations were related to a data breach that affected the protected health information (PHI) of more than six million individuals. This is the second OCR settlement announced this week related to a hacking incident.

CHSPSC is a management company based in Franklin, Tennessee that provides business associate services to hospitals and clinics, including information technology, accounting, human resources, and health information management. CHSPSC entered into a Resolution Agreement with HHS, which is not an admission of liability by CHSPSC.

In April 2014, the Federal Bureau of Investigation (FBI) notified CHSPSC that a cyberhacking group compromised administrative credentials and remotely accessed CHSPSC’s advanced information system through its virtual private network. Despite this notification, the hackers access continued until August 2014. The cyberhacking group’s intrusion affected 237 covered entities served by CHSPSC and resulted in the exfiltration of PHI of 6,121,158 individuals.  The PHI disclosed included patients’ names, sex, dates of birth, phone numbers, social security numbers, email addresses, ethnicity, and emergency contact information.  OCR investigated and discovered longstanding, system noncompliance with the HIPAA Security Rule including failing to implement information system activity review, security incident procedures, and access controls.

In addition to the $2,300,000 monetary settlement, CHSPSC has agreed to a CAP which includes two (2) years of monitoring by HHS and a requirement to complete each of the following:

• Designate an individual who is knowledgeable about HIPAA to serve as the Compliance Representative.
• Develop a written plan to internally monitor compliance with the CAP, which must be submitted to HHS for review and approval.
• Conduct an accurate, thorough, and enterprise-wide analysis of security risks and vulnerabilities.
• Review and revise its policies and procedures regarding technical access controls for all software applications and network or server equipment. Such policies and procedures must include at minimum specific measures set forth in the CAP and must be submitted to HHS for approval.
• Upon receiving HHS’ approval of the revised policies and procedures, CHSPSC must adopt, distribute, and routinely update the revised policies and procedures.
• Revise its training policies and procedures, which must be provided to HHS for review.
• Provide workforce training utilizing HHS approved training materials.
• Implement internal reporting procedures requiring all workforce members with access to electronic PHI to report potential violations of CHSPSC policies and procedures to the Compliance Representative.
• Within one (1) year after the CAP takes effect, submit a report to HHS regarding the status and findings of CHSPSC’s compliance with the CAP.

This settlement is an important (and expensive) reminder that all business associates should ensure they have implemented HIPAA compliant security protections to guard against hackers. Business associates should review their current HIPAA Privacy Rule and Security Rule policies and procedures to ensure they are fully compliant and up-to-date. Similarly, covered entities must ensure their own HIPAA compliance and be diligent in their monitoring and understanding of the HIPAA compliance of their business associates.