The $350,000 paid by Northeast Radiology, P.C. (“NERAD”) provides the latest warning to health plans, health care providers, healthcare clearinghouses (“Covered Entities”) and their business associates (collectively “Regulated Entities”) they risk costly fines and other costs for failing to maintain the up-to-date risk assessments required by the Health Insurance Portability & Accountability Act (“HIPAA”).
Following up on the five other previous Risk Analysis Initiative enforcement actions and settlements recently announced by the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) and OCR’s publication of proposed rules to significantly tighten HIPAA’s Risk Analysis and other requirements, the settlement with medical imaging center NERAD sends a strong warning to health plans and other Regulated Entities to clean up and strengthen their Risk Analysis and other HIPAA Security Rule compliance.
$350,000 NERAD Risk Analysis Settlement Latest Product Of New Enforcement Initiative
The sixth Risk Analysis Initiative enforcement action announced by OCR in recent months, the NERAD settlement resolves an OCR Risk Analysis Initiative enforcement action arising from OCR’s investigation of a breach of ePHI stored on NERAD’s Picture Archiving and Communication System (“PACS”) server for storing, retrieving, managing, and accessing radiology images.
OCR initiated its investigation of NERAD after receiving a NERAD breach report about a breach of unsecured ePHI in March 2020. NERAD reported that between April 2019 and January 2020, unauthorized individuals accessed radiology images stored on NERAD’s PACS server. NERAD notified the 298,532 patients whose information was potentially accessible on the PACS server of this breach. OCR’s investigation found that NERAD had failed to conduct an accurate and thorough Risk Analysis to determine the potential risks and vulnerabilities to the ePHI in NERAD’s information systems.
To avoid potentially much greater HIPAA civil monetary penalties under the terms of the resolution agreement, NERAD paid OCR $350,000 and agreed to implement a corrective action plan that OCR will monitor for two years. Under the corrective action plan, NERAD will take steps to improve its compliance with the HIPAA Security Rule and protect the security of ePHI, including:
- Conducting an accurate and thorough Risk Analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI;
- Developing and implementing a risk management plan to address and mitigate security risks and vulnerabilities identified in its Risk Analysis;
- Developing and implementing a written process to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports;
- Developing, maintaining, and revising, as necessary, its written policies and procedures to comply with the HIPAA Rules; and
- Augmenting its existing HIPAA and security training program to all of its workforce members who have access to PHI.
OCR Turns Up Heat On HIPAA Risk Analysis Requirements & Enforcement
The HIPAA Privacy, Security, and Breach Notification Rules set forth the requirements that Regulated Entities must follow to protect the privacy and security of protected health information. Since the HIPAA Security Rule first took effect, risk analysis is one of the four required implementation specifications the Security Rule requires to fulfill its Security Management Process Standard’s requirement that regulated entities “[i]mplement policies and procedures to prevent, detect, contain, and correct security violations.”
Written Risk Analysis Longstanding Requirement
Although OCR only recently formally adopted a Risk Analysis Initiative, OCR’s regulatory guidance and enforcement actions have communicated clearly the necessity for each Regulated Entity to possess and maintain an adequate documented Risk Analysis. OCR guidance since has required Regulated Entities to conduct and document the required Risk Analysis to safeguard ePHI and avoid liability under the HIPAA Rule. The importance of fulfillment of the Risk Analysis requirement is driven home by OCR’s recent identification of Risk Analysis inadequacies as a basis for its assessment of civil monetary penalties or required resolution payments to settle HIPAA Security Rule violations following a breach of ePHI.
While the Security Rule does not currently dictate how frequently a regulated entity must perform Risk Analysis, a proposed rule published by OCR on December 27, 2024 seeks to amend the existing Security Rule to expand the requirement to require regulated entities to develop and revise a technology asset inventory and a network map that illustrates the movement of ePHI throughout the regulated entity’s electronic information system(s) on an ongoing basis, at least once every 12 months and in response to a change in the regulated entity’s environment or operations that may affect ePHI. Although OCR has not adopted this and other changes contained in the proposed rule, substantial evidence exists that it already regularly administers the Risk Analysis requirement with the expectation that regulated entities will perform Risk Analysis at least this frequently. For instance, current OCR resolution agreements require impacted organizations to conduct Risk Analysis to identify and address vulnerabilities at least annually, and more frequently as needed in response to signs of potential breach or susceptibility.
To fulfill the “Risk Analysis” implantation specification, the Security Management Process Standard requires Regulated Entities maintain appropriate administrative, physical, and technical safeguards for the confidentiality, integrity, and security of electronic protected health information (“ePHI”) based on an up-to-date conduct of an up-to-date accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by that organization (“Risk Analysis”).
The Security Rule requires Regulated Entities to document each Risk Analysis in writing, to maintain their Risk Analysis documentation for six years, and to make available Risk Analysis documentation to OCR upon request.
Among other things, the Risk Analysis implementation standard requires regulated entities adequately to:
- Identify where ePHI is located in the organization, including how ePHI enters, flows through, and leaves the organization’s information systems.
- Integrate Risk Analysis and risk management into the organization’s business processes.
- Ensure that audit controls are in place to record and examine information system activity.
- Implement regular reviews of information system activity.
- Utilize mechanisms to authenticate information to ensure only authorized users are accessing ePHI.
- Encrypt ePHI in transit and at rest to guard against unauthorized access to ePHI when appropriate.
- Incorporate lessons learned from incidents into the organization’s overall security management process.
- Provide workforce members with regular HIPAA training that is specific to the organization and to the workforce members’ respective job duties.
OCR Heightens Risk Analysis Enforcement While Proposing Heightened Risk Analysis And Other Security Requirements
The proposed rule published by OCR on December 27, 2024 seeks to significantly broaden these original requirements of the Risk Assessment implementation standard. Under the proposed rule, a Regulated Entity’s Risk Analysis also would be required to include:
- Require the development and revision of a technology asset inventory and a network map that illustrates the movement of ePHI throughout the regulated entity’s electronic information system(s) on an ongoing basis, at least once every 12 months and in response to a change in the regulated entity’s environment or operations that may affect ePHI.
- Require greater specificity for conducting a risk analysis, including a written assessment that contains, among other things:
- A review of the technology asset inventory and network map;
- Identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI;
- Identification of potential vulnerabilities and predisposing conditions to the regulated entity’s relevant electronic information systems;
- An assessment of the risk level for each identified threat and vulnerability, based on the likelihood that each identified threat will exploit the identified vulnerabilities; and
- A review of the technology asset inventory and network map.
Other changes included in the proposed rule would further heighten the Risk Analysis and other Security Standard requirements for Regulated Entities. For instance, the proposed rule would require Regulated Entities:
- To establish written procedures to restore the loss of certain relevant electronic information systems and data within 72 hours;
- To perform an analysis of the relative criticality of their relevant electronic information systems and technology assets to determine the priority for restoration;
- To establish written security incident response plans and procedures documenting how workforce members are to report suspected or known security incidents and how the regulated entity will respond to suspected or known security incidents;
- To implement written procedures for testing and revising written security incident response plans;
- To conduct a compliance audit at least once every 12 months to ensure their compliance with the Security Rule requirements;
- To require business associates to verify at least once every 12 months for covered entities (and that business associate contractors verify at least once every 12 months for business associates) that they have deployed technical safeguards required by the Security Rule to protect ePHI through a written analysis of the business associate’s relevant electronic information systems by a subject matter expert and a written certification that the analysis has been performed and is accurate;
- To encrypt ePHI at rest and in transit, with limited exceptions;
- To establish and deploy technical controls for configuring relevant electronic information systems, including workstations, in a consistent manner including deployment of anti-malware protection, removal of extraneous software, and disabling network ports in accordance with the regulated entity’s risk analysis;
- Use of multi-factor authentication, with limited exceptions;
- Vulnerability scanning at least every six months and penetration testing at least once every 12 months;
- Network segmentation;
- Separate technical controls for backup and recovery of ePHI and relevant electronic information systems;
- To review and test the effectiveness of certain security measures at least once every 12 months, in place of the current general requirement to maintain security measures;
- Business associates to notify covered entities (and subcontractors to notify business associates) upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation;
- Group health plans to include in their plan documents requirements for their group health plan sponsors to: comply with the administrative, physical, and technical safeguards of the Security Rule; ensure that any agent to whom they provide ePHI agrees to implement the administrative, physical, and technical safeguards of the Security Rule; and notify their group health plans upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation.
To help Regulated Entities understand and fulfill these responsibilities, OCR alone and in conjunction with the Office of the National Coordinator for Health Information Technology (“ONC”) also has published guidance like the HIPAA Security Risk Assessment (SRA) Tool. OCR guidance reflects that fulfillment of the Tool can help Regulated Entities may help defend but does not guarantee fulfillment of the Risk Assessment requirements, as the adequacy of the Risk Assessment always depends upon the unique facts and circumstances of the Regulated Entity at a particular time. This guidance confirms the importance of conducting timely and appropriate Risk Analysis in a manner that shows the Regulated Entity appropriately evaluated the risks to its e-PHI and acted reasonably in designing, administering, and updating that Risk Analysis to reasonably defend its e-PHI against breaches or other susceptibilities.
Recommended Actions For Health Plans & Other HIPAA-Regulated Entities
With the continued explosion in ransomware and other cyberthreats heightening the risk of experiencing a breach or other incident likely to draw the attention of OCR, each health plan or other Regulated Entity should take assess and confirm the adequacy of their current Risk Analysis, both to protect its ePHI and to promote its ability to defend its compliance with the HIPAA Security Rule’s Risk Analysis and other requirements in light of OCR’s heightened emphasis on Risk Analysis compliance and enforcement. For purposes of conducting this analysis, Regulated Entities generally will want to use a process like the following to structure their evaluation of their existing Risk Analysis to take advantage of the opportunity to use attorney-client privilege and other evidentiary rules to help protect discoverability of sensitive discussions about possible deficiencies in their existing Risk Analysis and discussions about potential tradeoffs considered in current or future Risk Analysis response:
- Engage legal counsel experienced with HIPAA and other cybersecurity-related risks and liabilities to advise and assist your organization in designing and administering your Risk Analysis processes and response within the scope of attorney-client privilege;
- Appoint and designate leadership and technical leadership for team responsible for design and administration of your organization’s initial and ongoing cybersecurity Risk Analysis and response (“Cyber-Risk Team”) and process for board and senior management reporting of the Cyber-Risk Team;
- Select and engage outside consulting service providers, cyber-liability insurers and other risk service providers expected to participate in the process; work with qualified legal counsel to contract with these business associates to include the business associate agreement and other reassurances required by the HIPAA Privacy, Security and Breach Notification Rule and other performances, cooperation to provide and back services in accordance with agreed-upon protocols in the contract;
- Train Cyber-Risk Team in the appropriate processes for working with internal teams, outside service providers, leadership, and designated legal counsel to conduct Risk Analysis, investigation and response using attorney-client privilege and other evidentiary tools and processes to maximize defensibility;
- Require the Cyber-Risk Team conduct an updated, document assessment of cyber-risk within scope of attorney-client privilege and work with legal counsel to develop a documented cyber-risk policy that captures analysis and determinations for your justification for the size, scope and timing of your periodic Risk Analysis and rules and processes for interim risk identification, reassessments and response in reaction to potential cyber-risk signs between periodic Risk Analysis for presentation and approval by the Board taking into account the insights from published final and proposed guidance, enforcement actions and industry standards;
- Require, oversee and enforce Cyber-Risk Team’s documented administration of the initial and subsequently required Risk Analysis and response pursuant to the adopted cyber-risk policy to identify vulnerabilities and work with legal counsel within the scope of privilege to document your analysis and justifications for addressing identified vulnerabilities and other required actions in response to identified susceptibilities or event;
- Review adequacy of incident detection and response arrangements, including reporting and response mechanisms, insurance and indemnification protection, and other critical elements for mitigation and recovery; and
- Other actions as warranted based on advice of counsel taking into account emerging threats, guidance, and risk susceptibility.
The author of this update, Cynthia Marcotte Stamer is an American College of Employee Benefits Counsel Fellow and attorney board certified in Labor and Employment Law by the Texas Board of Legal Specialization, nationally known and celebrated for her experience providing advice and representation on HIPAA and other risk management and compliance to employers and other health plan sponsors, health plans, health plan fiduciaries and administrators, health and other insurers, third party administrators, health care and other managed care providers and organizations, human resources and health plan technology, and other businesses about health plan design, administration, and other compliance, risk management and operational matters. If you have questions or need advice or help evaluating or addressing these or other compliance, risk management, or other concerns, contact her.
For More Information
We hope this update is helpful. For more information about these or other health or other employee benefits, human resources, or health care developments, please contact the author, Cynthia Marcotte Stamer, via e-mail or telephone at (214) 452-8297.
Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.
About the Author
A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation; Cynthia Marcotte Stamer is an attorney board certified in labor and employment law by the Texas Board of Legal Specialization, management consultant, author, public policy advocate and lecturer sought out by clients and industry and government leaders for her more than 35 years of health, insurance, employment and employee benefits and other industry management work, thought leadership, public policy and regulatory affairs advocacy, coaching, teaching, and publications on health and other employee benefits, health care, insurance, workforce and other risk management and compliance.
Along with her decades of legal and strategic consulting experience, Ms. Stamer also contributes her leadership and experience to many professional, civic and community organizations. Along with currently serving as Co-Chair of the ABA Real Property Trusts and Estates (“RPTE”) Section Welfare Plan Committee, Co-Chair of the ABA International Section International Employment Law Committee and its Annual Meeting Program Planning Committee, Chair Emeritus and Vice Chair of the ABA Tort Trial and Insurance (“TIPS”) Section Medicine and Law Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, her previous ABA leadership roles include more than a decade of service as a Scribe for the Joint Committee on Employee Benefits (“JCEB”) annual agency meetings with the Department of Health and Human Services and JCEB Council Representative, International Section Life Sciences Committee Chair, RPTE Section Employee Benefits Group Chair and a Substantive Groups Committee Member, Health Law Section Managed Care & Insurance Interest Group Chair, as TIPS Section Medicine and Law Committee Chair and Employee Benefits Committee and Workers Compensation Committee Vice Chair, Tax Section Fringe Benefit Committee Chair, and in various other ABA leadership capacities. Ms. Stamer also is a former Southwest Benefits Association Board Member and Continuing Education Chair, SHRM National Consultant Board Chair and Region IV Chair, Dallas Bar Association Employee Benefits Committee Chair, former Texas Association of Business State, Regional and Dallas Chapter Chair, a founding board member and Past President of the Alliance for Healthcare Excellence, as well as in the leadership of many other professional, civic and community organizations. She also is recognized for her contributions to strengthening health care policy and charitable and community service resolving health care challenges performed under PROJECT COPE Coalition For Patient Empowerment initiative and many other pro bono service involvements locally, nationally and internationally.
Ms. Stamer is the author of many highly regarded works published by leading professional and business publishers, the ABA, the American Health Lawyers Association, and others. Ms. Stamer also frequently speaks and serves on the faculty and steering committee for many ABA and other professional and industry conferences and conducts leadership and industry training for a wide range of organizations.
For more information about Ms. Stamer or her health industry and other experience and involvements, see http://www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.
About Solutions Law Press™
Solutions Law Press™ provides health care, insurance, human resources and employee benefit, data and technology, regulatory and operational performance, and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education. These include extensive resources on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press™ resources or training.
If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.
NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or an admission. Solutions Law Press and its authors reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often rapidly evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. Solutions Law Press and its authors disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.
Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.
©2025 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press.™ For information about licensing for republication, please contact the author directly. All other rights reserved.
slphrbenefitsupdate.com 