Health Data Privacy & Security: A Look Back at the Final Enforcement Push From HHS Under the Biden Administration

Health Data Privacy & Security: A Look Back at the Final Enforcement Push From HHS Under the Biden Administration

Blog WilmerHale Privacy and Cybersecurity Law

In the final days of the Biden Administration, the U.S. Department of Health and Human Services Office for Civil Rights (“HHS OCR”) remained active in resolving a large number of investigations, reflecting the agency’s noticeable recent productivity. In the past year, the HHS OCR has brought 22 HIPAA enforcement actions—the second-highest in HHS OCR history—and collected $9.9 million in settlements and civil penalties.

Several of the recent data security settlements have been part of HHS’s recent focus on the risk analysis provision of the HIPAA Security Rule (“Security Rule”). The provision requires companies to “[c]onduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (‘ePHI’) held by the covered entity or business associate.” Since 2018, the HHS OCR has seen a 264% increase in reported large breaches involving ransomware, which may have influenced the agency’s increased focus on risk analysis investigations, given the Security Rule’s emphasis on assessments as preventive measures.

In the past two months, the HHS OCR reached a $1.19 million settlement with Gulf Coast Pain Consultants and a $3 million settlement with Solara Medical Supplies for their alleged failure to conduct accurate and thorough risk analyses, among other purported Security Rule violations.

This past October, the HHS OCR also launched the Risk Analysis Initiative, highlighting the need for better compliance with the risk analysis provision and closing out a number of investigations. Thus far, the HHS OCR has reached four settlements under the new Risk Analysis Initiative, three of which were finalized within just over a week of each other. Additionally, the recent proposed rule that HHS announced on December 27, 2024, puts forth significant potential updates to the risk analysis requirement. As discussed more below, this rule is currently in an open comment period that will end on March 7, 2025.

In this post, we summarize the Risk Analysis Initiative settlements, as well as provide some key takeaways from these decisions and a look ahead into what might change under the Trump Administration.

Summary of HHS OCR’s Risk Analysis Initiative Cases

  • Bryan County Ambulance Authority: Bryan County Ambulance Authority (“BCAA”) is an Oklahoma emergency medical services provider controlled by the county. On November 24, 2021, BCAA experienced a ransomware attack that encrypted files on its network. In its breach notification to the HHS OCR, BCAA reported that files impacted by the ransomware contained the ePHI of approximately 14,273 patients. In response to BCAA’s breach notification report, the HHS OCR opened an investigation on June 9, 2022. According to the HHS OCR’s press release, BCAA failed to conduct the risk assessment required by HIPAA’s risk analysis provision. On October 31, 2024, the HHS OCR announced its settlement with BCAA as the first enforcement action under its new Risk Analysis Initiative. Additionally, the settlement was the HHS OCR’s seventh ransomware enforcement action. Under the terms of the settlement, BCAA agreed to pay $90,000 and implement a corrective action plan that the HHS OCR will monitor for three years. The corrective action plan requires BCAA to (1) conduct an accurate and thorough risk analysis to determine potential threats to its ePHI; (2) implement a risk management plan to address the threats identified in the risk analysis; (3) develop and maintain written policies and procedures to comply with HIPAA rules; and (4) train its employees on HIPAA policies and procedures.
  • Elgon Information Systems: Elgon Information Systems (“Elgon”) is a Massachusetts company that provides electronic medical record and billing support services. As a business associate to HIPAA covered entities, Elgon also falls within the scope of HIPAA compliance. The HHS OCR’s enforcement documents describe how an unknown actor accessed a server on Elgon’s information system through open ports on the company’s firewall on March 25, 2023. Elgon became aware of the intrusion when it identified a ransom note a week later. In total, the breach affected 31,248 individuals and involved ePHI such as demographic information (e.g., name, address, Social Security number, and date of birth) and clinical information (e.g., diagnosis, condition, and medication).

According to the HHS OCR’s resolution agreement, Elgon failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities of its ePHI. On January 7, 2025, the HHS OCR reached an $80,000 settlement with Elgon. Under the terms of the settlement agreement, Elgon agreed to implement a corrective action plan similar to the one imposed on BCAA, including the three-year HHS monitoring requirement.

  • Virtual Private Network Solutions: Virtual Private Network Solutions, LLC (“VPN”) is a Virginia-based company that provides data housing and cloud services to covered entities such as health plans, healthcare clearinghouses, and healthcare providers. On December 30, 2021, VPN filed a breach notification report with the HHS OCR on behalf of 12 of its covered entity clients. In the report, VPN indicated that it experienced a ransomware attack on its server and first became aware of the attack on October 31, 2021. The attack resulted in the encryption of covered entity data, including names, addresses, Social Security numbers, dates of birth, claim information, bank account numbers, lab results, medications, and other treatment information.

According to the HHS OCR’s resolution agreement, VPN failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities related to the ePHI it stored and processed. On January 7, 2025, the HHS OCR reached a $90,000 settlement with VPN. Under the terms of the settlement agreement, VPN agreed to be monitored by the HHS OCR for one year and to implement a corrective action plan similar to the plans in the BCAA and Elgon settlements. The VPN settlement was announced on the same day as the Elgon settlement and marked the third enforcement action in the HHS OCR’s Risk Analysis Initiative.

  • Northeast Surgical Group: Northeast Surgical Group (“NESG”) is a surgical center in Michigan. On March 6, 2023, NESG filed a breach notification report with the HHS OCR regarding a January 2023 ransomware breach. The breach resulted in the encryption and exfiltration of ePHI from 15,298 individuals, which represented NESG’s entire patient population. According to the HHS OCR’s resolution agreement, NESG failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities of its ePHI. On January 15, 2025, the HHS OCR reached a $10,000 settlement with NESG. Under the terms of the agreement, NESG agreed to be monitored by the HHS OCR for two years and to implement a corrective action plan similar to the plans in the three enforcement actions described above.

Key Takeaways

  • HIPAA-regulated entities should ensure they are conducting accurate and thorough risk assessments. According to HHS OCR guidance, organizations should focus their risk assessments on identifying (1) the ePHI that they create, receive, maintain, or transmit; (2) any external sources of ePHI that they receive; and (3) the human, natural, and environmental threats that pose a risk to their storage of ePHI. The HHS OCR also advises using risk assessments to inform the development of appropriate personnel screening processes, identify what data to back up (and how), decide whether to use encryption (and if so, how), and determine the appropriate manner in which to protect ePHI transmissions.
  • Regulated entities should closely familiarize themselves with the proposed changes to the Security Rule. While guidance from the HHS OCR states that covered entities and business associates should perform risk analysis annually or as needed (based on the circumstances of their environment), the current version of the Security Rule does not specify a required frequency. However, under the recent proposed rule change filed with the Federal Register on January 6, 2025, organizations would be required to conduct a risk analysis every 12 months. Additionally, the proposed rule changes would require organizations to document the risk assessment in writing; identify potential vulnerabilities, anticipated threats, security measures, and the likelihood of each identified threat, and predict how each threat might impact the organization; and provide an analysis of any risks posed by new or ongoing contracts with business associates. Regulated organizations should familiarize themselves with the proposed new requirements for risk assessments, along with the other proposed changes to the Security Rule.
  • The pace of enforcement activity from HHS is changing under the current administration. Just weeks after its recent string of enforcement actions, HHS appears to be stepping on the brakes in enforcement activity as the new administration settles into office. Still early in his administration, President Trump has already taken a number of actions affecting the agency. First, on January 20, 2025, President Trump signed an executive order directing agencies to refrain from issuing or proposing any rule until a Trump political appointee reviews and approves the rule. Additionally, the order directed agencies to consider postponing the effective date of any rules that have been issued but have not yet taken effect. The executive order clarifies that “rule” also refers to “any substantive action by an agency… [including] notices of proposed rulemaking,” but also suggests that agencies postponing rules can consider opening a comment period to allow parties “to provide comments about issues of fact, law, and policy” under the new executive order. With this in mind, we expect the comment period for the proposed changes to the Security Rule will remain open until its March 7, 2025 deadline, but anticipate a low likelihood of a final rule resulting from the process, given that the rule was proposed by the previous administration.

Next, on the day following the executive order, the acting head of HHS directed all the agency’s divisions to refrain from issuing external communications, like guidance or notices, until such documents can be approved by a political appointee. Given the changes in personnel and the immediate pause on agency communication, HHS’s priorities and level of enforcement activity remain uncertain for the immediate future.

As with any new presidential administration, we expect to see many regulatory changes with the transition to the Trump Administration. We will keep a close eye on the HHS OCR’s work over the next few months, as it will forecast whether heightened ePHI protections are here to stay.

Please reach out with questions you might have about your company’s risk management programs. To keep up to date on the HHS OCR’s enforcement activities, as well as the proposed changes to the Security Rule, be sure to subscribe to the WilmerHale Cybersecurity and Privacy Law Blog.

Authors

Related Solutions

We help companies protect data, comply with evolving regulations, and respond to investigations and litigation.

More from this series

Explore the Full Series

Notice

Unless you are an existing client, before communicating with WilmerHale by e-mail (or otherwise), please read the Disclaimer referenced by this link.(The Disclaimer is also accessible from the opening of this website). As noted therein, until you have received from us a written statement that we represent you in a particular manner (an "engagement letter") you should not send to us any confidential information about any such matter. After we have undertaken representation of you concerning a matter, you will be our client, and we may thereafter exchange confidential information freely.

Thank you for your interest in WilmerHale.

I Accept Cancel