Call Us Today! 877-659-2467 contactus@arismedicalsolutions.com
Aris Home
Contact Us
Learn More

Top of the World Ranch Treatment Center Settles with OCR

Posted bySuze Shaffer
Phishing login credentials example

The U.S. Department of Health and Human Services Office for Civil Rights announced a settlement with Top of the World Ranch Treatment Center (TWRTC) in the amount of $103,000.

The HIPAA Security Rule requires administrative, physical, and technical safeguards to protect electronic PHI. The Risk Analysis standard requires organizations to assess risks and vulnerabilities to ePHI. Covered entities and business associates must comply with the Risk Analysis requirement.

Organizations must identify where ePHI is stored and transmitted to protect it properly. This is another example of why system wide risk analyses are so important.


OCR opened its investigation after TWRTC reported a breach in March 2023.
A phishing attack allowed an unauthorized party to access ePHI through an employee’s email account. The attack exposed the ePHI of 1,980 patients.

OCR determined that TWRTC failed to conduct an accurate and thorough risk analysis. This failure violated the HIPAA Security Rule.

TWRTC also agreed to implement a corrective action plan monitored for two years.

Under the corrective action plan, TWRTC must:

• Conduct and complete an accurate and thorough risk analysis to identify risks and vulnerabilities to ePHI.

• Develop and implement a risk management plan to address identified security risks and vulnerabilities.

• Create, maintain, and update written policies and procedures to comply with HIPAA Privacy, Security, and Breach Notification Rules.

• Employees serve as the first line of defense against cyber threats. Provide annual HIPAA training to workforce members who access ePHI.

Recommendations:

• Identify where ePHI is stored and how it enters, moves through, and exits your systems.

• Conduct regular risk analyses and update risk management measures to address identified vulnerabilities.

• Implement audit controls to record and examine system activity.

• Review system activity regularly to detect suspicious behavior.

• Use authentication mechanisms to verify users before granting access to ePHI.

• Encrypt ePHI in transit and at rest when appropriate to prevent unauthorized access.

• Incorporate lessons from security incidents into your security management process.

At Aris Medical Solutions, our online HIPAA Keeper™ is an all in one secure, cloud-based system that helps healthcare providers and business associates simplify compliance by maintaining their risk analyses, up-to-date policies, procedures, HIPAA training and documentation to meet every aspect of the HIPAA Privacy and Security Rules.

Protect your organization before an attack happens.

Schedule your HIPAA compliance review today and protect your organization from the next enforcement headline.

About Suze Shaffer

Suze Shaffer is the owner and president of Aris Medical Solutions. She specializes in HIPAA compliance, risk management, and cyber security. She believes that by educating her clients in understanding why and what needs to be done to protect their practice they have a better outcome.

Suze has been instrumental in helping clients nationwide with risk management, implementing privacy and security rule policies and procedures, and ultimately protecting patient data. She includes state and federal regulatory requirements to ensure clients are protected in all areas.

She has spoken at numerous conferences and functions. She continues to educate organizations how to minimize the risks of data breaches. HIPAA compliance is not an option, it is mandatory for every organization that comes in contact with protected health information to have reasonable and appropriate security measures in place. Unfortunately, most organizations don’t realize they are not compliant until they suffer a data breach or they are faced with an audit or investigation.

Did you know that the Office for Civil Rights (OCR) is the agency that investigates data breaches? Have you seen the heavy fines that have been imposed for non-compliance?

All 50 states now have their own set of privacy laws and the State's Attorney General may also investigate privacy violations!

View all posts by Suze Shaffer

Fill in missing gaps of HIPAA compliance

Cadia Healthcare Facilities fined $182K for posting success stories

September 30, 2025
©2026 Aris Medical Solutions – HIPAA Keeper | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC