Green Ridge Behavioral Health Resolution Agreement and Corrective Action Plan Following Ransomware Investigation by HHS OCR

According to the Resolution Agreement published by HHS, Office of Civil Rights that is charged with enforcing the HIPAA Privacy Rule standards, (45 CFR Part 160 and Part 164, Subparts A and E) as well as the security Rule (45 CFR Part 160 and Part 164 Subparts A and C) and the Breach Notification Rule (45 FR Part 160 and Part 164 Subparts A and D). Following a Breach Report, OCR investigated a ransomware attack involving PHI for over 14,000 patients which revealed GRBH’s noncompliance with both the Privacy and the Security Rules. The investigation indicated the following potential violations:

  • Failure to comply with the requirement to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to confidentiality and integrity of all ePHI (45 CFR §164.308(a)(l)(ii)(a))
  • Failure to comply with requirement to implement security measures sufficient to reduce risks and vulnerabilities to ePHI to reasonable and appropriate level. (45 CFR §164.308(a)(l)(ii)(B))
  • Failure to comply with requirement to implement policies and procedures to regularly review records of information system activity, such as incident tracking reports and access reports (45 CFR §164.308(a)(1)(ii)(A))
  • Failure to comply with the requirement to not use or disclose PHI except as permitted by the Privacy Rule. (45 CFR §164.502(a)).

The Resolution Agreement with Green Ridge Behavioral Health (GRBH) in late October, 2023, is not an admission or concession but is intended to resolve the investigation and any potential HIPAA violations and avoid further burden and expense of investigation and formal proceedings, according to the terms of the document. GRBH agreed to pay $40,000 in a lump sum payment within 3 days of the effective date of the agreement and agreed to comply with terms of a Corrective Action Plan (CAP) attached to the Agreement. The Agreement is binding on successors. Breach of the CAP, and failure to cure as set for the in the Cap, constitutes breach of the Resolution Agreement. Green Ridge will also conduct an audit of third-party vendors to ensure that business associate agreements are in place, and report to OCR if workforce members fail to comply with HIPAA.

The outcome of this investigation underscores the need for all behavioral health providers to give time and attention to compliance activities to minimize the risks to their organizations particularly in light of the number of breaches healthcare institutions and other providers are currently experiencing.