ePHI deleted: OCR settles another HIPAA investigation

Jan. 9, 2025
More than one Security Rule failure settled.

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) concluded another HIPAA violation investigation, settling $337,750 with USR Holdings, LLC.

Nearly 3,000 patients’ electronic protected health information (ePHI) was retrieved by an “unauthorized third party/parties who were able to delete ePHI in the database,” according to an HHS release.

Upon conducting their investigation, OCR found the organization was failing to “conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to ePHI in its systems; to regularly review its information system activity; and to establish and implement procedures to create and maintain retrievable exact copies of ePHI.”

USR will take several steps recommended by OCR to resolve and prevent future breaches.  

HHS release

ID 353605284 © Roman Romaniuk | Dreamstime.com
dreamstime_xxl_353605284
ID 29674078 © Andrey Popov | Dreamstime.com
dreamstime_xxl_29674078
ID 342579785 © Wanniwat Roumruk | Dreamstime.com
dreamstime_xxl_342579785
ID 118875917 © Katarzyna Bialasiewicz | Dreamstime.com
dreamstime_xxl_118875917
ID 236958198 © Dzmitry Skazau | Dreamstime.com
dreamstime_xxl_236958198