The U.S. Division of Well being and Human Providers Office environment for Civil Legal rights (“OCR”) entered into a Resolution Agreement (“Agreement”) with Banner Wellbeing on behalf of Banner Health Affiliated Protected Entities (“Banner”)1 to solution a facts breach prompted by a lousy actor (“Hacker”). The breach affected close to 2.81 million patients’ digital guarded health facts (“ePHI”)2. Banner learned and noted the breach in 2016, which induced OCR to examine Banner’s compliance with the Health and fitness Coverage Portability and Accountability Act (“HIPAA”). OCR’s investigation unveiled evidence of Banner’s extensive-expression noncompliance with HIPAA’s Security Rule beneath 45 C.F.R. Component 160 and Subparts A and C of 45 C.F.R. Element 164 (“Security Rule”). For illustration, OCR thought Banner potentially violated the following provisions underneath HIPAA:
- The requirement to perform an exact and extensive chance evaluation of the probable challenges and vulnerabilities to the confidentiality, integrity, and availability of all ePHI held by Banner. See 45 C.F.R. § 164.308(a)(1)(ii)(A).
- The need to carry out ample strategies to on a regular basis evaluation information of details system action. See 45 C.F.R. § 164.308(a)(1)(ii)(D).
- The prerequisite to carry out processes to validate that a person or entity trying to get entry to ePHI is the one particular claimed. See 45 C.F.R. § 164.3012(d).
- The necessity to carry out complex stability steps to guard from unauthorized obtain to ePHI that is currently being transmitted more than an digital communications community. See 45 C.F.R. § 164.312(e)(1).
To treatment this, Banner paid $1,250,000.00 to OCR and agreed to put into action a corrective motion program (“CAP”) that OCR will watch for two several years. Under the CAP, Banner agreed to get the next steps to ensure compliance with the Protection Rule:
- Carry out an exact and complete risk examination to determine threats and