An audit of the Utah Department of Health and Human Services (DHHS) by the Office of the Utah State Auditor has identified privacy and security weaknesses that are putting the health information privacy of state residents at risk, especially children.

The audit was conducted in response to a complaint by a DHHS whistleblower employee who alleged that the DHHS had not implemented adequate incident response procedures and had insufficient monitoring mechanisms for detecting and managing privacy incidents. According to the complainant, the deficiencies have resulted in under-reporting of incidents and unmitigated exposure of sensitive data, especially the data of children.

The audit was led by Tina M. Cannon, State Auditor; Nora Kurzova, State Privacy Auditor; and Mark Meyer, Assistant State Privacy Auditor, and involved a review of applicable laws related to incident response and data protection, a privacy risk assessment of the most significant data processing activities as they relate to children, an evaluation of incident response documentation and internal privacy and cybersecurity monitoring controls, and interviews with certain DHHS employees, including members of its Information Privacy and Security (IPS) team.

The audit was limited in scope and focused on two systems. SAFE and eChart. SAFE is the Comprehensive Child Welfare Information System (CCWIS) for the State of Utah, Division of Child and Family Services (DCFS), which is used to support child welfare case management, including child abuse and neglect cases. Currently, the system contains around 6 million records relating to more than 2 million individuals. eChart is the central repository of records related to patients with mental health needs. The system is maintained by the Utah State Hospital (USH) and currently includes records relating to more than 10,500 individuals.

The audit uncovered several privacy and security weaknesses, including weaknesses in oversight, awareness, and internal controls, which allow privacy violations to go undetected and unaddressed for extended periods. The auditors identified systemic issues in both the SAFE and eChart systems related to access controls, records dissemination, and monitoring across systems and teams handling sensitive records, including mental health and child welfare.

Inadequate access controls meant sensitive records in both systems could be accessed without enforcing or adequately monitoring role-based and least privileged access. Records could be accessed for individuals outside a user’s workload, without requiring any justification for the access. Broad access to records had been given to individuals other than DHHS social workers, including the Utah Office of Guardian ad Litem, Utah Psychotropic Oversight Panel (UPOP), and the office of the Attorney General. In the eChart system, there were similar access control issues. For instance, users of the eChart system are expected to determine for themselves what range of viewing access is appropriate, and there were no restrictions on accessing the records of individuals outside a user’s caseload. The lack of protection was given a critical risk rating.

While logs are created of user access, there was no automated system for monitoring those logs. Each month, the division’s privacy officer reviewed access logs through a manual sampling process. There was no system in place for providing real-time alerts about suspicious medical record access. Data retention periods were unnecessarily long, creating an accumulating long-term exposure risk. For instance, some records in the SAFE system had a retention period of 100 years, when the typical retention period is only 7-10 years.

There have been documented cases of intentional breaches occurring, as well as staff members accessing and disclosing records to the wrong person. There were reports of individuals posting sensitive data online, and staff members capturing unauthorized photos of patients or facilities. From the interviews, the auditors discovered that there was no well-known or secure mechanism to support anonymous reports of inappropriate access to medical records. As a result, staff and stakeholders could not raise concerns about potential wrongdoing or privacy and security issues without fear of retaliation from agency leadership or coworkers.

The auditors pointed out that a single compromised account could expose an entire data repository, putting individuals at risk of identity theft and fraud. Since children’s data is highly valuable to cybercriminals, and identity theft using children’s data can go undetected for years, robust access controls are vital. The privacy of minors, patients, and other vulnerable groups at risk was put at risk due to the lack of authentication and access controls; there was under-detection of privacy incidents and breaches due to inadequate monitoring; overretention of data created an unnecessary risk; and broad, unchecked access heightens the threat of identity
theft.

While privacy and security weaknesses were identified, no evidence was found to suggest any successful hacking incidents involving either the SAFE or eChart systems. The Office of the State Auditor made several recommendations for improving privacy and security, and the DHHS is in various stages of implementing those recommendations.

The post Audit of Utah Department of Health and Human Services Identifies Critical Privacy & Security Weaknesses appeared first on The HIPAA Journal.

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has established a civil enforcement program for the 42 CFR Part 2 – Confidentiality of Substance Use Disorder Patient Records (Part 2) regulations.

The Coronavirus Aid, Relief, and Economic Security (CARES) Act, an economic stimulus bill signed into law on March 27, 2020, included a section (Section 3221) related to the confidentiality and disclosure of substance use disorder (SUD) records. The CARES Act directed the HHS to implement changes to align the Part 2 regulations more closely with the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules, to enhance protections and improve patient rights, while allowing a more flexible approach to the sharing of SUD records with patient consent to improve care coordination.

In February 2024, the HHS issued a final rule that modified the Part 2 regulations by implementing the changes mandated by Section 3221 of the CARES Act. The final rule improves coordination among providers treating patients for SUD, aligns certain Part 2 requirements with the HIPAA Privacy Rule and HIPAA Breach Notification Rule, and enhances integration of behavioral health information with other medical records to improve patient health outcomes.

The final rule also implemented a new penalty structure, mirroring that of HIPAA, as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. OCR has been granted authority to enforce compliance, and if violations are identified, they will be subject to the same range of enforcement mechanisms as HIPAA. Violations of the Part 2 regulations can be resolved with civil monetary penalties, resolution agreements, monetary settlements, and corrective action plans to address areas of noncompliance.

The enforcement program uses newly established mechanisms of civil enforcement to protect the confidentiality of SUD records by covered SUD programs. “At President Trump’s direction, HHS is aggressively enforcing federal safeguards to protect substance use disorder patient records as part of the Great American Recovery Initiative,” said HHS Secretary Robert F. Kennedy, Jr. “Americans seeking treatment for substance use disorder deserve comprehensive care without sacrificing their privacy or legal protections.”

This is the first time that mechanisms have been established and will help to ensure that the privacy of Americans seeking treatment for substance use disorder is protected. “OCR’s civil enforcement program will instill confidence in patients and encourage them to seek SUD treatment from covered SUD providers. At the same time, compliance with the updated Part 2 regulation will improve care coordination and reduce administrative burdens,” said OCR Director Paula M. Stannard. “OCR is uniquely positioned to enforce patient rights and the regulated community’s obligations given our extensive experience administering compliance and enforcement programs for health information privacy, security, and breach notification under HIPAA.”

OCR must be notified about any breach of SUD records, and the agency will investigate breaches to determine if they were the result of noncompliance. On February 16, 2026, OCR started accepting complaints about potential violations of the Part 2 regulations, including civil rights and breach notifications related to SUD records.

Complaints about potential Part 2 violations should be submitted via the OCR breach portal. Individuals are encouraged to file a complaint if they believe that their civil rights or health information privacy have been violated, but also if they suspect that the civil rights or health information privacy of other individuals have been violated. Complaints will be investigated, and if substantiated, violations will be resolved through the newly established enforcement mechanisms.

The OCR breach portal has been updated to show entities and individuals that have experienced breaches of Part 2 records. As with the section of the OCR breach portal for HIPAA breach reports, a summary of each breach of Part 2-covered records is listed. The listings include basic information about the breach – The name of the Part 2 Program, state, individuals affected, breach submission date, type of breach, and the location of breached information. When OCR has completed its investigation of the breach, the complaints will be moved to the archive, with brief notes added from OCR’s investigation. The breach portal only includes large breaches of SUD records – those affecting 500 or more individuals. Smaller breaches are not made public, although the breach reporting requirements are the same, irrespective of the size of the breach.

The post HHS Office for Civil Rights Establishes Part 2 Enforcement Program appeared first on The HIPAA Journal.

The risk of sending unwanted marketing communications to consumers has been highlighted by a $10.5 million settlement with Kaiser Foundation Health Plan, which is alleged to have continued sending marketing text messages to individuals who opted out of receiving marketing communications.

Legal action was taken against Kaiser Foundation Health Plan, doing business as Kaiser Permanente, by Jonathan Fried, who alleged that the defendant violated federal and Florida state law by continuing to send marketing text messages after he had submitted an opt-out request to stop receiving the communications.

The lawsuit, Jonathan Fried v. Kaiser Foundation Health Plan, Inc., d/b/a Kaiser Permanente, was filed individually and on behalf of similarly situated individuals over the alleged sending of unwanted text messages marketing Kaiser Permanente’s products and services. According to the lawsuit, the defendant sent or failed to stop further messages from being sent after consumers replied with the word STOP or performed a similar opt-out instruction. According to the lawsuit, the failure to honor the opt-out requests violated the federal Telephone Consumer Protection Act (TCPA) and the Florida Telephone Solicitation Act (FTSA). The violations are alleged to have occurred between January 21, 2021, and August 20, 2025.

Kaiser maintains there was no wrongdoing and denies and continues to deny the allegations in the lawsuit; however, a settlement was agreed to bring the litigation to an end to avoid the cost of a trial and related appeals, and the risks and uncertainties for both sides from continuing with the litigation. Kaiser has agreed to pay up to $10,500,000 to settle the litigation. The settlement fund will cover attorneys’ fees and expenses, a service award for the class representative, settlement administration costs, and cash payments for the class members.

There are two settlement classes, one applying to all individuals in the United States who were sent more than one text message regarding the defendant’s goods or services in any 12-month period between January 21, 2021, and August 20, 2025, after replying to a message with STOP or performing a similar opt-out instruction. The Florida FTSA class includes all persons who resided in Florida and received more than one text message between the same dates about the defendant’s goods or services at least 15 days after opting not to receive the communications.

Class members who submit a valid claim will receive a payment of up to $75 per qualifying text message they received. If the number of claims exceeds the funds in the settlement, then claims will be paid pro rata. Should any funds remain in the settlement fund after all claims have been paid, then they will be refunded to Kaiser.

The settlement has received preliminary approval from the court, and claims must be submitted by February 12, 2026. The deadline for opting out and exclusion from the settlement is December 29, 2025. The final approval hearing has been scheduled for January 28, 2026.

The post Kaiser Foundation Health Plan Settles Unwanted Text Message Lawsuit appeared first on The HIPAA Journal.

The American Hospital Association (AHA) has responded to a September 2025 request for information (RFI) from the Office of Science and Technology Policy (OSTP) on regulatory reform on artificial intelligence (AI) to promote innovation and adoption.

The Trump administration is committed to ensuring the United States achieves global dominance in AI and issued the RFI to obtain feedback from businesses and the public on current federal regulations that are hampering AI adoption and innovation. AI has tremendous potential in healthcare, from analyzing and interpreting medical images, aiding clinicians with decision-making, streamlining operations, and easing the considerable administrative burden faced by providers. While AI tools have been adopted in healthcare, the AHA says hospitals and health systems have merely scratched the surface of the potential uses to support them and the patients they serve.

In order to accelerate innovation and adoption, the AHA believes regulations need to be eased. In its response, the AHA explained that around one-quarter of healthcare spending goes on administrative tasks, amounting to around $1 trillion annually. Feedback from member hospitals and health systems indicates that regulatory administrative burdens are contributing to the financial instability of many hospitals, around 40% of which are now operating with negative margins.

The AHA has already voiced opposition against further administrative burdens and costs related to the proposed update to the HIPAA Security Rule and has welcomed the Trump administration’s recognition that overly restrictive regulations lead to higher costs, hamper competition, and stifle innovation. AHA members have voiced their concern that excessive regulation of AI is likely to severely limit adoption and innovation. Given the potential for AI to improve efficiency and enhance the quality of care, a balance needs to be struck between regulation to ensure patient safety while incorporating sufficient flexibility to support innovation.

In the letter to the OSTP, Ashley Thompson, the AHA’s senior vice president of public policy analysis and development, explained that current administrative burdens have forced many hospitals to scale back patient services or close, and that excessive regulatory and administrative burdens have added unnecessary cost and reduced patient access to care. To ensure the full potential of AI in healthcare, the AHA makes four main recommendations for AI reform: leveraging existing policy frameworks to avoid redundancy; removing regulatory barriers; ensuring AI is used safely and effectively; and providing incentives and infrastructure investment to expand the use of AI in healthcare.

Current regulatory frameworks were developed around human clinicians and discrete medical device updates, which may create challenges if the same frameworks are applied to continuously updating AI tools; however, creating a new regulatory framework for AI could result in redundancy and inefficiency.  The AHA recommends that any AI policies be synchronized with existing regulatory frameworks such as HIPAA, the HHS cybersecurity performance goals, FDA rules on premarket testing, and the CMS Medicare Advantage regulations.

The AHA recommends removing regulatory barriers that could stifle innovation, explaining that the current patchwork of state privacy laws and 42 Part 2 regulations has had a direct impact on the ability of hospitals to develop and deploy AI tools. The AHA has already responded to several problematic proposed HIPAA Security Rule update, and recommended voluntary consensus-based cybersecurity practices such as the HHS cybersecurity performance goals, rather than further regulation. The AHA suggests the Trump administration work with Congress to address HIPAA preemption, recommending the enactment of a full HIPAA preemption, as varying state laws are currently creating complications for its members. Further, the AHA supports the removal of all remaining requirements under the Part 2 regulations, which are hindering access to important health information and impacting the ability of SUD providers to leverage AI tools for care delivery.

Regarding patient safety, the AHA recommends that trained clinicians be kept in the decision loop for algorithms that may impact access to care or care delivery, for consistent privacy and security standards for third-party vendors, and to implement policies that include post-deployment standards for AI healthcare tools to ensure the ongoing integrity of those tools.

The AHA has also stressed that infrastructure needs to be improved to support the adoption of AI tools. For instance, hospitals in rural areas often lack reliable broadband and Wi-Fi access, which has proven to be a barrier to digital services and the adoption of AI tools. Incentives should be aligned to support AI adoption, as inadequate reimbursement has meant that many providers do not have the necessary resources to invest in the infrastructure to support the adoption of AI tools. The AHA also encourages cross-agency collaboration to develop training and potential grant funding opportunities to support patient educational efforts on digital health tools.

The post American Hospital Association Makes Recommendations to Support AI Adoption in Healthcare appeared first on The HIPAA Journal.

California Governor Gavin Newsom has added his signature to a bill that strengthens privacy protections for individuals seeking or receiving healthcare services from a family planning center. Prior to the update, California law prohibited a person or business from collecting, using, disclosing, or retaining the personal information of a person located at or within the geolocation of a family planning center, other than as necessary to provide the goods or services requested by that person.

Assembly Bill 45 (AB-45) strengthens privacy protections by prohibiting the collection, use, disclosure, sale, sharing, or retention of personal information of a natural person located at or within the precise geolocation of a family planning center, other than to provide goods and services to an individual, as requested. The requirements do not apply to HIPAA-regulated entities or their business associates, provided that the business associate is contractually obliged to comply with all state and federal laws.

The new law extends the scope of existing law to cover any person, including a natural person, association, proprietorship, corporation, trust, foundation, partnership, or any other organization or group of people acting in concert. The new law uses the same definitions for sale, personal information, and precise geolocation as the California Consumer Protection Act (CCPA), although the definitions apply to all persons. A family planning center is defined as a facility categorized as a family planning center by the North American Industry Classification System adopted by the United States Census Bureau, which includes, but is not limited to, clinics that provide reproductive healthcare services.

The new law makes it unlawful to geofence an entity that provides in-person healthcare services for certain purposes and prohibits the selling or sharing of information with a third party to geofence an entity that provides healthcare services. Healthcare services are defined as “any service provided to a natural person of a medical, surgical, psychiatric, therapeutic, diagnostic, mental health, behavioral health, preventative, rehabilitative, supportive, consultative, referral, or prescribing nature.”

Geofencing is specifically prohibited for the purpose of identifying or tracking an individual seeking or receiving healthcare services, collecting personal information from a person seeking, receiving, or providing healthcare services, sending notifications to a person related to their personal information or healthcare services, and sending advertisements to an individual related to their personal information or healthcare services. There are exceptions to the geofencing restrictions. The owner of the facility is permitted to geofence its own location, geofencing is permitted for research purposes that comply with federal regulations, and geofencing is permitted by labor organizations, although consent must be obtained from individuals if the geofencing results in the collection of names or personal information. Personally identifiable research records of individuals seeking healthcare services are protected and may not be released in response to a subpoena or request made pursuant to other states’ laws that interfere with a person’s rights under the California Reproductive Privacy Act.

There is a limited private cause of action in AB-45, which allows individuals and entities aggrieved by a violation of the provisions of AB-45 to sue for damages, up to a maximum of three times the actual damages, in addition to expenses, costs, and reasonable attorneys’ fees. The California Attorney General will enforce the new law and can impose penalties of up to $25,000 per violation and injunctive relief. Any collected penalties will be used to fund the California Reproductive Justice and Freedom Fund. The new law takes effect on January 1, 2026.

The post California Strengthens Privacy Protections for Individuals Visiting Family Planning Centers appeared first on The HIPAA Journal.

Individuals and businesses that do business in the state of California will soon be required to notify individuals affected by a data breach within 30 days of the discovery of the breach, and the state attorney general must be notified within 15 calendar days. State Governor Gavin Newsom added his signature to SB 446 earlier this month, with the new data breach reporting requirements taking effect on January 1, 2026.

Previously, data breach notification law in California required notifications to be issued without unreasonable delay, with no maximum timeframe stipulated for when the notifications should be issued. The new law will ensure that individuals affected by a data breach will receive prompt notification, allowing them to take timely action to protect themselves against identity theft and fraud.

There is, however, some flexibility in the new law. Data breach notifications must be issued in the most expedient time possible and without unreasonable delay, and while a 30-day limit is stipulated, the new law does allow for delays to notifications at the request of law enforcement and also to allow for any measures to be taken to determine the scope of the breach and restore the reasonable integrity of the data system.

The new law requires data breach notices to be written in plain language, they must be titled “Notice of Data Breach,” and they should follow a standard format, with the information presented under the following headings:

• What Happened?
• What Information Was Involved?
• What We Are Doing
• What You Can Do
• For More Information

There are also minimum content requirements. Data breach notices must include contact information for the individual or entity reporting the breach, the types of information reasonably believed to have been compromised, and contact information for the major credit reporting agencies if the breach involved Social Security numbers, driver’s license numbers, or California identification card numbers. If known at the time of issuing the notifications, notices should state the date of the breach, the estimated date of the breach, or the date range in which the breach occurred. Notices should also include a general description of the breach incident.

If the individual or business reporting the breach was the source of the breach, and the breach involved certain sensitive types of data, then complimentary identity theft prevention and mitigation services should be offered for a minimum of 12 months. Data types requiring those services to be offered are: Social Security number, driver’s license number, California identification card number, tax identification number, passport number, military identification number, or any other unique identification number issued on a government document commonly used to verify the identity of a specific individual.

Entities that fully comply with the Health Insurance Portability and Accountability Act (HIPAA) Breach Notification Rule will be deemed to be compliant with the breach notice requirements of SB 446; however, HIPAA-regulated entities are not exempted from other requirements of SB 446. HIPAA-regulated entities should therefore ensure that they thoroughly check those requirements and update their policies and procedures ahead of the compliance deadline.

The post California Sets 30-Day Breach Reporting Deadline appeared first on The HIPAA Journal.