Providence Medical Institute Notice of Proposed Determination

DEPARTMENT OF HEALTH & HUMAN SERVICES
OFFICE OF THE SECRETARY
Office for Civil Rights, Pacific Region
90 7th Street, Suite 4-100
San Francisco, CA 94103
TDD -  (800) 537-7697
Voice - (800) 368-1019
http://www.hhs.gov/ocr/

Via Personal Service, Certified Mail Return Receipt Requested, and Email

March 29, 2024

Rod Hochman, MD, President & CEO
Providence Medical Institute 
3400 Aerojet Ave, Suite 323
El Monte, CA 91731

Re:       Providence Medical Institute
             OCR Transaction Number: 18-303126

Notice of Final Determination

Dear Sir:

Pursuant to the authority delegated by the Secretary of the United States Department of Health and Human Services (“HHS”) to the Office for Civil Rights (“OCR”), I am writing to inform you that OCR is proposing to impose a civil money penalty (“CMP”) of $240,000 against Providence Medical Institute (“PMI”).

This proposed action is being taken under the regulations promulgated by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), § 262(a), Pub.L. 104-191, 110 Stat. 1936, as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, Public Law 111-5, Section 13410, codified at 42 U.S.C. § 1320d-5, at 45 Code of Federal Regulations (C.F.R.) Parts 160 and 164.

I.         The Statutory Basis for the Proposed CMP

The Secretary of HHS is authorized to impose a CMP (subject to the limitations set forth at 42 U.S.C. § 1320d-5(b)) against any covered entity, as described at 42 U.S.C. § 1320d-1(a), that violates a provision of Part C (Administrative Simplification) of Title XI of the Social Security Act. See HIPAA, § 262(a), as amended, 42 U.S.C. § 1320d-5(a). This authority includes imposing CMPs for violations of the applicable provisions of the Federal Standards for Privacy of Individually Identifiable Health Information and the Security Standards for the Protection of Electronic Protected Health Information (ePHI) (45 C.F.R. Parts 160 and 164, Subparts A, C, and E, the Privacy and Security Rules), and the Breach Notification Rule (45 C.F.R. Parts 160 and 164, Subpart D). The Secretary has delegated enforcement responsibility for the HIPAA Rules to the Director of OCR. See 65 Federal Register (Fed. Reg.) 82381 (Dec. 28, 2000) and 74 Fed. Reg. 38630 (July 27, 2009). OCR is authorized under the HITECH Act § 13410, 42 U.S.C. § 1320d-5(a)(3),1 to impose CMPs for violations occurring on or after February 18, 2009,2 of:

  • A minimum of $100 for each violation where the covered entity or business associate did not know and, by exercising reasonable diligence, would not have known that the covered entity or business associate violated such provision, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $25,000.
  • A minimum of $1,000 for each violation due to reasonable cause and not to willful neglect, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $100,000. Reasonable cause means an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect.
  • A minimum of $10,000 for each violation due to willful neglect and corrected within 30 days, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $250,000.
  • A minimum of $50,000 for each violation due to willful neglect and uncorrected within 30 days, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $1,500,000.

As required by law, OCR has adjusted the CMP ranges for each penalty tier for inflation.3 The adjusted amounts are applicable only to CMPs whose violations occurred after November 2, 2015.

OCR is precluded from imposing a CMP unless the action is commenced within six years from the date of the violation.4

II.         Findings of Fact

  1. PMI is a non-profit physician services organization composed of 275 providers that work in thirty-five medical offices across Southern California.
  2. PMI is a covered entity as defined at 45 C.F.R. § 160.103, and, therefore, is required to comply with the HIPAA Rules.
  3. PMI is a health care provider that transmits health information in electronic form in connection with transactions for which HHS has adopted standards.
  4. In July 2016, PMI acquired Center for Orthopaedic Specialists (COS). COS provides full scope orthopedic medical services in western Los Angeles County and eastern Ventura County. Prior to July 2016, COS operated as an independent physician practice with its own IT network that had been managed and supported by its IT Vendor, Creative Solutions in Computers (CSnC). After PMI acquired COS in July 2016, it initiated a two-year transition plan with the end goal of having COS fully integrated as a unit of PMI and utilizing PMI’s IT environment. CSnC remained COS’s IT vendor while COS transitioned to PMI’s network. Due to the opening of a new practice location that involved a series of construction delays, as well as some staffing issues, COS’s integration into PMI’s infrastructure was delayed until May 2019.
  5. On February 18, 2018, COS systems containing ePHI were encrypted in a ransomware attack, after a workforce member clicked on a phishing email. COS restored patient data using backup tapes within days of the ransomware attack.
  6. On February 25, 2018, COS systems containing ePHI were impacted by a second ransomware attack which encrypted ePHI maintained on COS’s system, rendering the data inaccessible and unavailable to COS. COS again restored patient data using backup tapes within days of the ransomware attack.
  7. On March 4, 2018, COS systems containing ePHI were impacted by a third wave of ransomware. PMI determined that the third attack was perpetrated by the same attacker, but that the attacker was able to gain remote desktop access to COS’s systems through administrator credentials that had been compromised during one of the first two attacks.
  8. On April 18, 2018, PMI filed a breach report with OCR concerning the unauthorized access and encryption of COS’s eClinicalWorks EMR on three separate occasions, over three consecutive Sundays: (1) February 18, 2018; (2) February 25, 2018; and (3) March 4, 2018. The compromised data included ePHI belonging to 85,000 individuals. The compromised ePHI included names, addresses, dates of birth, driver’s license numbers, Social Security numbers, lab results, medications, treatment information, credit card information, bank account numbers, and other financial information.
  9. On May 10, 2018, OCR notified PMI, in writing, of its commencement of an investigation of this breach report and of PMI’s compliance with the HIPAA Privacy, Security and Breach Notification Rules.
  10. During the course of OCR’s investigation PMI submitted evidence demonstrating that at the time of the breach, COS’s IT vendor, CSnC, provided data management services for COS’s IT network, which included its eClinicalWorks EMR servers. The services provided by CSnC required COS to disclose its ePHI to CSnC. Accordingly, the service relationship PMI had with CSnC, specifically CSnC’s management and maintenance of COS’s ePHI, makes it a business associate under the regulations. PMI did not have a business associate agreement with CSnC, prior to June 15, 2018 (see 45 C.F.R. § 164.308(b)).
  11. Approximately three months after the last ransomware attack, PMI performed a post-incident assessment on COS’s ePHI environment on June 21, 2018. The  assessment found that at the time of the attacks: COS utilized unsupported and obsolete operating systems to host its ePHI data; COS did not have a demilitarized zone (DMZ) network enabled or configured to separate its private network from the public internet and untrusted networks; COS’s firewall was not properly configured to monitor and track access or changes to its network; and COS had Remote Desktop Protocols (RDPs) enabled which allowed insecure remote access to COS workstations from external sources. The assessment also found that at the time of the attacks, COS workforce members were sharing generic credentials with administrator access to log into COS’s workstations, which allowed all users logging into COS’s workstations to have unrestricted administrator access. The evidence collected during OCR’s investigation indicates that the ePHI was accessible and viewable to the attackers because encryption was not deployed on COS’s servers or workstations prior to the attacks.
  12. The evidence collected during OCR’s investigation indicates that PMI did not have a business associate agreement with CSnC since acquiring COS in July 2016 until June 15, 2018 (see 45 C.F.R. § 164.308(b)), and PMI failed to implement the required technical policies and procedures for COS’s electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights, prior to integrating COS into PMI’s IT infrastructure on May 23, 2019 (see 45 C.F.R. § 164.312(a)(1)).
  13. On September 20, 2023, OCR notified PMI of OCR’s investigation results, and offered PMI an opportunity to resolve the matter informally.
  14. On January 25, 2024, pursuant to 45 C.F.R. § 160.312(a)(3), OCR sent PMI a Letter of Opportunity (LOO). The LOO informed PMI that OCR’s investigation found preliminary indications that PMI failed to comply with certain provisions of the Privacy and Security Rules, and that this matter had not been resolved by informal means despite OCR’s attempts to do so. The LOO stated that pursuant to 45 C.F.R. § 160.312(a)(3), OCR is providing PMI with an opportunity to submit written evidence of any mitigating factors (45 C.F.R. § 160.408) or affirmative defenses (45 C.F.R. § 160.410) for OCR’s consideration in determining a civil money penalty (CMP) pursuant to 45 C.F.R. § 160.404. The letter also advised PMI that it may submit written evidence to support a waiver of a CMP pursuant to 45 C.F.R. § 160.412. Each act of noncompliance under the Privacy and Security Rules was described in the letter.
  15. PMI responded to the LOO on February 21, 2024.
  16. OCR determined that the information and arguments submitted by PMI do not support an affirmative defense pursuant to 45 C.F.R. § 160.410. See Section IV below.
  17. OCR considered factors pursuant to 45 C.F.R. § 160.408, including PMI’s LOO response alleging a mitigating factor, and aggravating factors based on evidence obtained by OCR during its investigation, in determining the amount of the CMP. See Section V below.
  18. OCR determined that the information and arguments submitted by PMI do not support a waiver of the CMP pursuant to 45 C.F.R. § 160.412. See Section VII below.
  19. OCR obtained the authorization of the Attorney General of the United States, pursuant to 42 U.S.C. 1320a-7a, prior to issuing this Notice of Proposed Determination to impose a CMP.

III.         Basis for CMP

Based on the above findings of fact, OCR has determined that PMI is liable for the following violations of the HIPAA Rules and, therefore, subject to a CMP:

  1. PMI failed to have a business associate agreement with CSnC since acquiring COS in July 2016 until June 15, 2018, in violation of 45 C.F.R. § 164.308(b). OCR has determined that the appropriate penalty tier for this violation is reasonable cause.
  2. PMI did not implement the required technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights, prior to May 23, 2019, in violation of C.F.R. § 164.312(a)(1)). OCR has determined that the appropriate penalty tier for this violation is reasonable cause.

IV.         No Affirmative Defenses

By its January 25, 2024, LOO, OCR offered PMI the opportunity to provide written evidence of affirmative defenses per 45 C.F.R. § 160.410.

OCR determined that the information contained in PMI’s response dated February 21, 2024, did not provide a basis for an affirmative defense under 45 C.F.R. § 160.410.

V.         Factors Considered in Determining the Amount of the CMP

  1. In determining the CMP amount, OCR is required to consider certain factors listed in the regulation at 45 C.F.R. §160.408, which may be mitigating or aggravating as appropriate. As such, OCR considered the following:
    1. 45 C.F.R. § 160.408(a) The nature and extent of the violation. As stated above, between February 18 and March 4, 2018, COS experienced three consecutive ransomware attacks by the same threat actor, that successfully encrypted all data stored on COS’s eClinicalWorks EMR servers. Each ransomware attack encrypted ePHI of 85,000 individuals. While these multiple breach incidents may be considered a large breach under the HITECH Act and HIPAA Breach Notification Rule (500 or more individuals affected), it is not one of the largest reported breaches that OCR receives annually. However, this breach incident affected COS’s entire patient population, and the fact that this breach incident did not affect a larger number of individuals cannot be attributed to the actions of the covered entity. While OCR’s investigation found that PMI failed to take reasonable steps to secure COS’s ePHI environment prior to the ransomware attacks or end the unauthorized access by simply changing the compromised credentials after the first and second attacks, none of the proposed violations are ongoing. While OCR acknowledges that PMI took some corrective actions to resolve the potential noncompliance during OCR’s investigation, PMI/COS failed to have a Business Associate Agreement in place with its IT vendor for many years and its access control deficiencies contributed to the ransomware attacks. As such, OCR finds this is a neutral factor, with mitigating and aggravating considerations canceling each other out.
    2. 45 C.F.R. § 160.408(b) The nature and extent of the harm resulting from the violation. There is no evidence of harm resulting from the violation that caused physical, financial or reputational harm or hindered an individual’s ability to obtain health care. However, the good fortune that there is no evidence of harm as a result of these disclosures of PHI in the three ransomware attacks cannot be attributed to any actions by PMI. As such, OCR finds that this is neither a mitigating nor an aggravating factor.

      45 C.F.R. § 160.408(c) The history of prior compliance with the administrative simplification provisions, including violations, by the covered entity. OCR has not previously investigated PMI regarding its compliance with the HIPAA Rules. PMI has not previously filed a breach report with HHS and no prior complaints have been investigated by OCR. As such, OCR has not had the opportunity to assess (1) whether the current violation is the same or similar to previous indications of noncompliance, (2) whether and to what extent PMI has attempted to correct previous indications of noncompliance, (3) how PMI has responded to technical assistance from OCR provided in the context of a compliance effort, or (4) how PMI has responded to prior complaints.

      However, although OCR has not received any breach reports or complaints against PMI to investigate or otherwise determine prior compliance, the lack of previous OCR investigations regarding HIPAA compliance is not evidence of compliance. Specifically, this investigation revealed systemic potential violations of the HIPAA Security Rule that have been longstanding. As such, OCR finds that this is neither a mitigating nor aggravating factor.
    3. 45 C.F.R. § 160.408(d) The financial condition of the covered entity. PMI is a large sized entity. There is no evidence to suggest that PMI has had financial difficulties that would affect its ability to comply with the requirements of HIPAA. Further, there is no indication that the imposition of a civil money penalty would jeopardize PMI’s ability to continue to provide health care. As such, OCR finds that this is neither a mitigating nor an aggravating factor.
    4. 45 C.F.R. § 160.408(e) Such other matters as justice may require. Based on OCR’s consideration of the totality of the circumstances, OCR finds this is neither a mitigating nor an aggravating factor.
  2. Recognized Security Practices (RSPs): Public Law 116-3218 requires that OCR consider RSPs that HIPAA covered entities adequately demonstrate had been in place for a period of not less than the previous 12 months when determining a civil money penalty.

    On August 25, 2021, OCR submitted a data request providing an opportunity for PMI to adequately demonstrate that it had RSPs in place. PMI responded to OCR’s data request on October 6, 2021. Upon examination of all the data, policies and procedures, OCR determined that PMI’s response adequately demonstrated that it had RSPs in place for the previous 12 months in alignment with Section 405(d) of the Cybersecurity Act of 2015 (CSA). Therefore, OCR applied a reduction to the CMP based on PMI’s sufficient implementation of RSPs.

VI.         Waiver

OCR has determined that there is no basis for waiver of the proposed CMP amount as set forth at 45 C.F.R. §160.412. PMI presented no evidence that the payment of the CMP would be excessive relative to the violations found here and described in OCR’s letter to PMI of January 25, 2024.

VII.         Amount of CMP

A. Amount of CMP Per Violation Based on the above factors, OCR finds that PMI is liable for the following CMPs for each violation described in Section III:

  1. Business associate contracts and other arrangements (45 C.F.R. § 164.308(b)): The CMP is $100,000 While PMI failed to enter into a compliant business associate contract as of July 1, 2016, in compliance with 45 C.F.R. § 160.414, OCR will begin calculations for this violation 6 years prior to the NPD date, April 1, 2018. The penalty calculation ends on June 14, 2018, which is the day prior to execution of a Business Associate Agreement with CSnC. The appropriate penalty tier for this violation from is Reasonable Cause, as follows:
    1. Calendar Year 2018: 75 days from April 1, 2018, to June 14, 2018, at $1,379 per day with an annual cap of $100,000
    2. Total CMP: $103,425, capped at $100,000
  2. Access Controls (45 C.F.R. § 164.312(a)(1)): The CMP is $200,000. OCR will begin calculations for this proposed violation 6 years prior to the NPD date, April 1, 2018. The penalty calculation ends on May 22, 2019, which is the day prior to PMI completing its integration of COS into PMI’s IT infrastructure and achieving substantial compliance with this Security Rule standard. The appropriate penalty tier for this violation is Reasonable Cause, as follows:
    1. Calendar Year 2018: 275 days from April 1, 2018, to December 31, 2018, at $1,379 per day (Total CMP of $379,225, capped at $100,000)
    2. Calendar Year 2019: 142 days from January 1, 2019, to May 22, 2019, at $1,379 per day (Total CMP of $195,818, capped at $100,000)
    3. Total CMP: $200,000

B. Total Amount of CMP with RSP Reduction

  1. Total CMP for all violations: $300,000
  2. Total CMP with 20% reduction for RSPs: $240,000

VIII.         Right to a Hearing

PMI has the right to a hearing before an administrative law judge to challenge these proposed CMPs. To request a hearing to challenge these proposed CMPs PMI must mail a request, via certified mail with return receipt requested, under the procedures set forth at 45 C.F.R. Part 160 within 90 days of your receipt of this letter. Such a request must: (1) clearly and directly admit, deny, or explain each of the findings of fact contained in this notice; and (2) state the circumstances or arguments that you allege constitute the grounds for any defense, and the factual and legal basis for opposing the proposed CMP. See 45 C.F.R. § 160.504(c). If you wish to request a hearing, you must submit your request to:

U.S. Department of Health & Human Services
Departmental Appeals Board, MS 6132
Civil Remedies Division
330 Independence Ave, SW
Cohen Building, Room G-644
Washington, D.C. 20201
Telephone: (202) 565-9462

Copy to:
Michael Leoz, Regional Manager
Office for Civil Rights
U.S. Department of Health and Human Services
90 7th Street, Suite 4-100
San Francisco, CA 94103
Voice: (800) 368-1019
Fax: (415) 437-8329
TDD: (800) 537-7697
Email: Reg10.OCRmail@hhs.gov

A failure to request a hearing within 90 days permits the imposition of the proposed CMP without a right to a hearing under 45 C.F.R. § 160.504 or a right of appeal under 45 C.F.R. § 160.548. If you choose not to contest this proposed CMP, you should submit a written statement accepting its imposition within 90 days of receipt of this notice.

If PMI does not request a hearing within 90 days, then OCR will notify PMI of the imposition of the CMP through a separate letter, including instructions on how to make payment, and the CMP will become final upon receipt of such notice.

If you have questions regarding this matter, please contact Ms. Emily Crabbe, Senior Advisor for HIPDC Compliance and Enforcement, at (404) 562-7878 or via email at Emily.Crabbe@hhs.gov.

Sincerely,

/s/

Michael Leoz
Regional Manager

CC (via email only):
Iliana Peters, Legal Counsel
IPeters@Polsinelli.com

Footnotes

1 The CMPs reflect the penalty tiers described in the Notification of Enforcement Discretion (April 30, 2019). See https://www.federalregister.gov/documents/2019/04/30/2019-08530/notific….  

2 For violations occurring on or after November 3, 2015, HHS may make annual adjustments to the CMP amounts pursuant to the Federal Civil Penalties Inflation Adjustment Act Improvement Act of 2015. The annual inflation amounts are found at 45 C.F.R. §102.3. For the most recent amounts, see 88 Fed Reg. 69531 (October 6, 2023).

3 See Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015, Sec. 701 of Public Law 114-74.  Current inflation amounts are available at 45 CFR § 102.3.

4 See 42 U.S.C. § 1320a-7a(c)(1); 45 C.F.R. § 160.414.

Content created by Office for Civil Rights (OCR)
Content last reviewed