Delta Dental Insurance and Delta Dental of New York (Delta Dental) have agreed to pay a fine of $2.25 million to the New York Department of Financial Services to settle alleged violations of New York cybersecurity regulations. The violations were discovered during an investigation of a 2023 hacking incident that affected almost 7.1 million of its customers.

The incident in question occurred over the Memorial Day weekend in 2023 and was detected by Delta Dental on June 1, 2023. A Russian-speaking cybercriminal group called Clop (aka Cl0p) exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer managed file transfer solution, accessed the solution between May 27 and May 30, 2023, and exfiltrated approximately 60,000 files. The group then demanded a ransom to prevent the publication of the stolen files.

By July 6, 2023, Delta Dental confirmed that a range of sensitive personal and protected health information had been stolen, including names, addresses, Social Security numbers, driver’s license numbers, financial account information, and health information. Delta Dental was one of around 2,700 companies to fall victim to the automated mass exploitation attacks.

Delta Dental Insurance, a dental insurance underwriter, and its subsidiary, Delta Dental of New York, were investigated by the New York Department of Financial Services after being notified about the data breach on December 15, 2023. The Department of Financial Services identified several violations of state laws, including the failure to provide timely notice about the data breach. Under N.Y. Comp. Codes R. & Regs. Tit. 23 § 500.17(a)(1), covered entities are required to notify the superintendent about a cybersecurity incident within 72 hours of discovery.

According to the consent order, Delta Dental did not implement and maintain a written policy addressing incident response, in breach of the New York Cybersecurity regulations for financial services companies – 23 NYCRR § 500.3(n), and did not have a written incident response plan that sufficiently addressed its reporting obligations to regulators, in violation of 500.16(b)(6). Further, Delta Dental did not implement policies and procedures for the secure disposal of data no longer required for business purposes, as required by § 500.13.

The investigation found that most of the data stolen in the attack had been on the server for more than 30 days. By default, MOVEit Transfer sets the data retention period as 30 days; however, Delta Dental had changed the retention period first to 45 days, and then to 60 days for many folders. Some folders had data retention settings disabled and there were no written policies regarding requesting, reviewing, or approving changes to the data retention settings.

Delta Dental is required to pay the financial penalty, although there are no corrective actions required by the order. Provided Delta Dental complies with the consent order, the New York Department of Financial Services will take no further action. “The Department’s nation-leading cybersecurity regulation requires financial institutions to have robust policies in place to protect the personal information of New Yorkers,” said Kaitlin Asrow, acting superintendent of the New York Department of Financial Services. “As cybersecurity threats continue to grow, the Department is committed to holding institutions accountable.”

The post Delta Dental Fined $2.25 Million Over 2023 MOVEit Transfer Hack appeared first on The HIPAA Journal.

House Republicans have made a fresh attempt to introduce federal data privacy legislation that, if passed, will replace the current patchwork of state privacy laws. The new privacy bill – the Securing and Establishing Consumer Uniform Rights and Enforcement over Data (SECURE Data) Act, and a companion bill covering financial firms – the GUARD Financial Data Act – were introduced by Republican members of the House Committee on Energy and Commerce and the House Committee on Financial Services. Unlike previous attempts to enact comprehensive federal data privacy legislation, the SECURE Data Act and GUARD Financial Data Act are not bipartisan. No input was sought from Democratic committee members.

Efforts to develop the bills were led by Congressman John Joyce, M.D., Chairman of the House Committee on Energy and Commerce, who led the Energy and Commerce Data Privacy Working Group, and Congressman John Joyce, M.D. (PA-13), Chairman of the Energy and Commerce Subcommittee on Oversight and Investigations and leader of the Energy and Commerce Data Privacy Working Group.

The bills were developed following more than a year of stakeholder consultation, and aim to create new federal data privacy standards, and are based on common data subject rights and provisions from states that have implemented their own comprehensive data privacy laws.

Key consumer rights in the SECURE Data Act include:

• The right to know data is being collected and used
• The right to access a copy of the personal data collected by an entity, including in a portable format
• The right to request that their personal data be deleted
• The right to opt out of targeted advertising, the sale of their personal data, and certain automated decisions
• To only process sensitive data with a consumer’s consent
• To only process a child or teen’s personal data with parental consent

The obligations for covered businesses under the SECURE Data Act include:

• Limiting the collection of personal data to what is “adequate, relevant, and reasonably necessary for the purposes disclosed to consumers
• Required disclosure of the personal data shared with others, and any personal data processed in or sold to China, Russia, or other foreign adversaries.
• Implementation of data security practices to protect the personal data they process.

There are specific requirements for data brokers, which include:

• Data minimization, disclosure, and data security requirements.
• Registration with the FTC, including disclosure of the privacy and data security practices and personal data sold.
• The FTC will establish a searchable public-facing registry of data brokers, where consumers can learn how to exercise their privacy rights.

“This bill establishes clear, enforceable protections so that Americans remain in charge of their own data and companies are held accountable for its safe keeping,” Energy and Commerce Chair Brett Guthrie, R-Ky., and Rep. John Joyce, R-Penn., said in a joint statement. “We look forward to working with our colleagues to build support for this bill and advance data privacy protections fit for our 21st century economy.”

The SECURE Data Act would apply to nonfinancial firms that control consumer data, exempting financial data and financial institutions covered by the Gramm-Leach-Bliley Act. The companion bill, the GUARD Financial Data Act, would update the Gramm-Leach-Bliley Act and would exempt nonfinancial firms. While there is a clear need for federal data privacy legislation to replace data privacy laws that vary considerably from state to state, for certain states such as California, it would mean a watering down of their current privacy protections for state residents. For instance, the SECURE Data Act does not include a private cause of action, which means individuals whose privacy is violated would not be able to sue for SECURE Data Act violations.

The SECURE Data Act has been criticized for failing to implement meaningful privacy protections and weakening protections for consumers in states that have placed limits on the collection, use, and sharing of consumers’ data. Critics say the legislation ultimately protects corporations and big tech firms rather than protecting consumers’ privacy. “We should be protecting the little guy with a bill that empowers consumers, not one that pre-empts consumer protections at the behest of Big Tech,” said Energy and Commerce Ranking Member Frank Pallone (D-NJ).

Some privacy groups have criticized the bill for important omissions, such as failing to address AI-related privacy harms. There are no provisions limiting the data that can be collected on consumers for training AI algorithms, and while companies are required to disclose if they are using AI-based automated decision-making systems, consumers do not have the right to opt out.

There are grave concerns that if enacted, it will allow big tech firms to continue collecting and using vast amounts of consumer data. “It places the onus on regular people to wade through reams of privacy policies and ask tech companies to stop abusing our data, and it leaves us without real recourse — even blocking us from going to court — if our requests go unanswered. On top of that, the bill would entirely destroy the work that states have been doing for years to protect their residents,” said American Civil Liberties Union attorney Cody Venzke.

While previous efforts to pass a comprehensive federal data privacy law, such as the American Data Privacy and Protection Act (ADDPA), have been bipartisan, bicameral, and have proposed stronger privacy protections, they have all failed to be enacted. While there is a good chance that the SECURE Data Act would be passed by the House of Representatives, it may be difficult, in its current form, for the bill to survive a Senate vote.

The post House Republicans Make New Attempt to Introduce Federal Data Privacy Legislation appeared first on The HIPAA Journal.

The Maine House of Representatives has voted unanimously to advance a bill that seeks to strengthen cybersecurity at Maine hospitals to prevent cyberattacks and ensure continuity of care following cyber intrusions. The bill faces further votes in the House and Senate in the coming days.

The bill was proposed by Rep. Julie McCabe (D-Lewiston), a member of the Health and Human Services Committee, following two cyberattacks last year that impacted five Maine hospitals –  Covenant Health’s St. Mary’s Hospital in Lewiston, St. Joseph’s Hospital in Bangor, and Central Maine Medical Center’s hospitals in Lewiston, Bridgton, and Rumford. The Covenant Health ransomware attack alone affected 478,188 individuals, and along with the cyberattack on Central Maine Medical Center, around one-third of state residents were affected.

Those cyberattacks had a negative impact on patient care, crippling basic communication services, exposing serious breakdowns in hospitals’ protocols, and causing major disruption to patient care that lasted for weeks, including disruptions to preventative care and cancer care. “Cyberattacks pose a serious risk to our already-fragile health care system,” said McCabe. “We’ve already seen how a cyberattack can impact Maine hospitals and leave patients in dire straits. This legislation will help ensure that our hospitals are prepared to deal with these types of incidents, respond promptly and effectively to patient needs, and protect sensitive information.”

The bill – LD 2103 – requires hospitals to adopt measures to prevent and respond to cybersecurity incidents, and also includes provisions requiring workplace safety measures to protect patients, visitors, and employees from aggressive and violent behavior. According to the Occupational Safety and Health Administration (OSHA), healthcare workers are 4-5 times as likely to suffer injuries due to violence as employees in all other sectors. The bill requires hospitals to have a process in place to receive and record incidents and threats of violence and prohibits representatives or employees of a hospital from interfering with a person making a report.

All hospitals will be required to have a cybersecurity plan consistent with cybersecurity best practices established by the U.S. Department of Homeland Security (DHS), Cybersecurity and Infrastructure Security Agency (CISA), Department of Commerce, National Institute of Standards and Technology (NIST), and the Healthcare and Public Health Sector Coordinating Council (HSCC).

The cybersecurity plan must be consistent with HIPAA and be reviewed at least annually. At a minimum, the plan must include provisions to ensure timely notifications to law enforcement, state regulators, patients, and employees about cybersecurity intrusions. All hospitals must have a backup communication response provision to ensure continuity of care for patients in the event of a disruption of hospital computer systems due to a cybersecurity intrusion. That includes a compliant process for patients who experience challenges accessing medical care, a system to triage patients within 48 hours of submitting a complaint about emergent symptoms, and timely management of complaints related to prescriptions.

There is a provision to ensure the triage of all hospital services in the event of disruption to computer systems, including procedures for diverting hospital services, and written agreements with other hospitals to facilitate the continuity of care for patients during any disruption due to a cybersecurity incident. Hospitals must have a written security incident response plan documenting how hospital employees are to report suspected or known security incidents, including how the hospital will respond clinically, and provisions for internal and external communications. Hospitals must also have a system for ensuring that all manually charted medical information is incorporated into electronic medical records in a timely manner.

Cybersecurity training for hospital employees and board members is required at least annually, and incident response and downtime procedures must be reviewed, tested, and updated, as necessary, at least once a year. Further, following any cybersecurity incident, hospitals are required to review the response and take steps to improve procedures for responding to future cybersecurity incidents.

The post Maine House Unanimously Passes Bill to Strengthen Cybersecurity at Maine Hospitals appeared first on The HIPAA Journal.

Texas Governor Greg Abbot has ordered all state agencies and state-owned medical facilities to conduct an audit of patient monitoring devices to ensure that they do not have unresolved vulnerabilities that could be exploited to gain access to Texans’ sensitive health information. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the United States Food and Drug Administration (FDA) have issued warnings about vulnerabilities in patient monitoring devices manufactured in China. Devices have been found to contain a backdoor that can be used by a remote attacker to gain access to sensitive patient data.

There has been a proliferation of Chinese-manufactured medical devices within the U.S. healthcare system. The concern is that these devices have backdoors that can be exploited by state-sponsored hacking groups to obtain the private medical information of Americans. Governor Abbot wants to make sure that the private medical data of Texans cannot be obtained by China. “I will not let Communist China spy on Texans. State-owned medical facilities must ensure there are safeguards in place to protect Texans’ private medical data,” Governor Abbot said in a letter to the Texas Health and Human Services Commission (HHSC), Texas Department of State Health Services (DSHS), and the Texas Cyber Command (TXCC).

Governor Abbot has directed state agencies to take action to ensure that sensitive medical data is protected. HHSC and DSHS have been asked to review all state-owned medical facilities under their jurisdiction and attest that all new purchases of medical devices were procured in compliance with the November 19, 2024, Executive Order GA-48, which requires the hardening of cybersecurity by the state government.

HHSC, DSHS, and public systems of higher education are required to catalog all state-owned medical devices capable of transmitting data via a network, or that can be accessed remotely, and share that inventory with TXCC. Assisted by TXCC, HHSC, DSHS, and public systems of higher education, are required to review their cybersecurity policies related to the protection of personal health information at all state-owned medical facilities under their jurisdiction, and specifically include how policies address FDA and CISA-issued alerts for internet-connected medical devices.

TXCC has been instructed to review whether Contec CMS8000 and Epsimed MN-120 patient monitors, and any other devices used by HHSC, DSHS, and public systems of higher education, have been the subject of an FDA safety notice, and to ensure that any that have are placed on the prohibited technology list.

TXCC is also required to convene appropriate executives at HHSC, DSHS, and public systems of higher education and make recommendations for addressing emergent cybersecurity risks, monitoring of devices, and mitigation strategies. Governor Abbot has committed to proposing legislation in the next session to better protect Texans’ private medical data from hostile foreign actors, such as China.

The post Texas Governor Instructs State Agencies to Audit Chinese Medical Devices appeared first on The HIPAA Journal.

At a Thursday hearing, the Senate Health, Education, Labor and Pensions (HELP) Committee heard testimony from Thomas Keane, M.D., M.B.A., Assistant Secretary for Technology Policy and National Coordinator for Health Information Technology (ASTP/ONC) on the HHS’s efforts to make improvements in health and care through the access, exchange, and use of data.

“My top priority is fostering greater data liquidity in the U.S. health care system so that patients and their clinicians are in the driver’s seat. I see how modern data standards, combined with artificial intelligence (AI), can make health care more affordable, accessible, and can support improved health outcomes,” explained Keane.

It has been a decade since the 21^st Century Cures Act was enacted in 2016. Key provisions of the act have been implemented, such as the establishment of the Trusted Exchange Framework and Common Agreement (TEFCA) for nationwide health information exchange across health information networks. TEFCA Exchange began in earnest in January 2024, and 11 Qualified Health Information Networks have now signed up and been vetted to facilitate data exchange. More than 70,000 locations nationwide are connected, and the exchange of more than 400 million health records is now supported. While TEFCA has yet to reach its full potential, when that happens, a healthcare provider will be able to access a patient’s full health history, regardless of the electronic health record system where that information is stored.

While the technology exists to support the seamless exchange of health data, information does not always flow unimpeded. At the hearing, HELP Committee members expressed frustration that health data is being blocked by healthcare providers, developers of certified health IT, and health information networks and exchanges. The 21^st Century Cures Act prohibited information blocking; however, it took until 2023 to finalize the financial penalties for developers of health IT, and another year to finalize the financial penalties for healthcare providers, and penalties have yet to be imposed for information blocking.

At the hearing, Keane confirmed that the federal government is taking action against entities engaged in information blocking. Since the HHS launched its information blocking complaint portal, more than 1,500 complaints have been filed alleging information blocking, the majority of which were filed by patients. Keane confirmed that ASTP/ONC has started actively enforcing its information blocking rules. A major enforcement initiative was launched in September 2025, targeting noncompliance, which allocated additional resources to support investigations and hold entities accountable for blocking the sharing of electronic health information. In the Fall of last year, the HHS warned developers, providers, and health information exchanges that it announced that it would start cracking down on information blocking.

Since then, ASTP/ONC has been working closely with the HHS Office of Inspector General to ensure that bad actors face meaningful consequences for information blocking, and in February this year, ASTP/ONC sent notices to developers of certified health IT about potential non-conformity under the ONC Health IT Certification Program, requesting information and explanations about non-conformity issues. Should information blocking be confirmed, health IT developers could face penalties of up to $1 million per violation, while providers could be prevented from receiving Medicare payments.

Keane explained that ASTP/ONC is collaborating with the Federal Trade Commission (FTC), Department of Justice (DoJ), and state governments to identify potential anti-competitive business practices and other practices that are preventing the seamless exchange of health information. ASTP/ONC is also continuing to work with providers, health information networks, and health IT developers to improve understanding of what constitutes information blocking and the steps they must take to ensure compliance with the law.

“In [the] not-so-distant future, an individual with multiple chronic conditions can keep all their health information in one secure digital place and share it instantly with a new provider, a caregiver, or a trusted app—no matter where they live or where they receive care,” Keane said.

The post HHS Confirms Active Enforcement of Information Blocking Rules appeared first on The HIPAA Journal.

The U.S. Department of Health and Human Services (HHS) Centers for Medicare and Medicaid Services (CMS) plans to use artificial intelligence (AI) tools to identify fraudulent claims before they are paid.

While estimates of total losses from healthcare fraud vary, around $60 billion is thought to be lost to Medicare fraud each year. In 2023, the HHS Office of Inspector General (HHS-OIG), the primary agency responsible for tackling Medicare and Medicaid fraud, identified more than $100 billion in improper payments across the Medicare and Medicaid programs. Estimates suggest that between 3% and 10% of total healthcare spending is being lost to fraud. While HHS-OIG, in conjunction with the Department of Justice and the CMS, investigates fraud and prosecutes fraudsters, only a fraction of fraudulently paid funds is recovered.

In a February 25, 2026, press release, Vice President J.D. Vance, Secretary of Health and Human Services (HHS) Robert F. Kennedy, Jr., and CMS Administrator Dr. Mehmet Oz announced some of the new steps that are being taken to crack down on healthcare fraud as part of a broader effort by the Trump to improve affordability, protect patients, and reduce the burden on taxpayers, who ultimately foot the bill for healthcare fraud.

“For decades, Medicare fraud has drained billions from American taxpayers—that ends now,” said Secretary Kennedy. “We are replacing the old ‘pay and chase’ model with a real-time ‘detect and deploy’ strategy, using advanced AI tools to identify fraud instantly and stop improper payments before they go out the door.”

In the press release, the HHS confirmed that one of the actions is deferring $259.5 million of quarterly federal Medicaid funding in Minnesota while further investigations are conducted into fraudulent or unsupported claims, along with a nationwide moratorium on Medicare enrollment for certain Durable Medical Equipment, Prosthetics, Orthotics and Supplies (DMEPOS), which has historically been an area of major healthcare fraud.  The HHS has also issued a call to action for Americans to support fraud prevention, including seeking stakeholder input on ways the CMS can expand and strengthen its fraud prevention efforts.

“CMS is done trying to catch fraudsters with their hands in the cookie jar—instead, we’re padlocking the jar and letting them starve,” said Administrator Oz. “This proactive approach will help us crush fraud, protect taxpayer dollars, and make sure the vulnerable Americans who depend on our programs get the care they need.”

As part of the healthcare fraud prevention drive, the HHS and CMS issued a Request for Information (RFI) seeking input from a broad range of stakeholders on ways to strengthen the ability of the CMS to prevent, detect, and respond to fraud, waste, and abuse in Medicare, Medicaid, The Children’s Health Insurance Program (CHIP), and the Health Insurance Marketplace. That includes input on analytics, methodologies, data-driven approaches, and AI tools that would be most effective at identifying indicators of potential healthcare fraud, waste, or abuse.

The feedback will inform future rulemaking, including a potential “Comprehensive Regulations to Uncover Suspicious Healthcare (CRUSH) proposed rule, and other programmatic changes for tackling healthcare fraud. While the CMS and the HHS-OIG have long been using predictive modelling and data analytics to identify fraud and waste, the HHS recognizes the potential of AI tools for identifying fraud before claims are paid.

The CMS has asked for suggestions on how AI can be incorporated into Medicare Advantage coding oversight and hospital billing. Specifically, the types of AI solutions, including off-the-shelf products, that are most effective and efficient for assisting human coders with large volumes of records.

The CMS has asked stakeholders to share information on the key features and learning capabilities required in AI solutions to improve accuracy and prevent errors, the lessons learned when implementing AI solutions, how AI could be used to improve efficiency and accuracy of hospital billing, solutions that could help address coding issues related to overpayments, underpayments, and suggestions on how AI solutions can be used for compliance oversight.

While there is tremendous potential for AI tools to be used in fraud prevention and detection, they must not come at the expense of the privacy of Medicare and Medicaid beneficiaries. There will also need to be robust safeguards and oversight to ensure that legitimate and necessary medical care for law-abiding Americans is not put at risk.

The post HHS Issues RFI Seeking Input on AI Tools and Methodologies for Healthcare Fraud Prevention appeared first on The HIPAA Journal.

An audit of the Utah Department of Health and Human Services (DHHS) by the Office of the Utah State Auditor has identified privacy and security weaknesses that are putting the health information privacy of state residents at risk, especially children.

The audit was conducted in response to a complaint by a DHHS whistleblower employee who alleged that the DHHS had not implemented adequate incident response procedures and had insufficient monitoring mechanisms for detecting and managing privacy incidents. According to the complainant, the deficiencies have resulted in under-reporting of incidents and unmitigated exposure of sensitive data, especially the data of children.

The audit was led by Tina M. Cannon, State Auditor; Nora Kurzova, State Privacy Auditor; and Mark Meyer, Assistant State Privacy Auditor, and involved a review of applicable laws related to incident response and data protection, a privacy risk assessment of the most significant data processing activities as they relate to children, an evaluation of incident response documentation and internal privacy and cybersecurity monitoring controls, and interviews with certain DHHS employees, including members of its Information Privacy and Security (IPS) team.

The audit was limited in scope and focused on two systems. SAFE and eChart. SAFE is the Comprehensive Child Welfare Information System (CCWIS) for the State of Utah, Division of Child and Family Services (DCFS), which is used to support child welfare case management, including child abuse and neglect cases. Currently, the system contains around 6 million records relating to more than 2 million individuals. eChart is the central repository of records related to patients with mental health needs. The system is maintained by the Utah State Hospital (USH) and currently includes records relating to more than 10,500 individuals.

The audit uncovered several privacy and security weaknesses, including weaknesses in oversight, awareness, and internal controls, which allow privacy violations to go undetected and unaddressed for extended periods. The auditors identified systemic issues in both the SAFE and eChart systems related to access controls, records dissemination, and monitoring across systems and teams handling sensitive records, including mental health and child welfare.

Inadequate access controls meant sensitive records in both systems could be accessed without enforcing or adequately monitoring role-based and least privileged access. Records could be accessed for individuals outside a user’s workload, without requiring any justification for the access. Broad access to records had been given to individuals other than DHHS social workers, including the Utah Office of Guardian ad Litem, Utah Psychotropic Oversight Panel (UPOP), and the office of the Attorney General. In the eChart system, there were similar access control issues. For instance, users of the eChart system are expected to determine for themselves what range of viewing access is appropriate, and there were no restrictions on accessing the records of individuals outside a user’s caseload. The lack of protection was given a critical risk rating.

While logs are created of user access, there was no automated system for monitoring those logs. Each month, the division’s privacy officer reviewed access logs through a manual sampling process. There was no system in place for providing real-time alerts about suspicious medical record access. Data retention periods were unnecessarily long, creating an accumulating long-term exposure risk. For instance, some records in the SAFE system had a retention period of 100 years, when the typical retention period is only 7-10 years.

There have been documented cases of intentional breaches occurring, as well as staff members accessing and disclosing records to the wrong person. There were reports of individuals posting sensitive data online, and staff members capturing unauthorized photos of patients or facilities. From the interviews, the auditors discovered that there was no well-known or secure mechanism to support anonymous reports of inappropriate access to medical records. As a result, staff and stakeholders could not raise concerns about potential wrongdoing or privacy and security issues without fear of retaliation from agency leadership or coworkers.

The auditors pointed out that a single compromised account could expose an entire data repository, putting individuals at risk of identity theft and fraud. Since children’s data is highly valuable to cybercriminals, and identity theft using children’s data can go undetected for years, robust access controls are vital. The privacy of minors, patients, and other vulnerable groups at risk was put at risk due to the lack of authentication and access controls; there was under-detection of privacy incidents and breaches due to inadequate monitoring; overretention of data created an unnecessary risk; and broad, unchecked access heightens the threat of identity
theft.

While privacy and security weaknesses were identified, no evidence was found to suggest any successful hacking incidents involving either the SAFE or eChart systems. The Office of the State Auditor made several recommendations for improving privacy and security, and the DHHS is in various stages of implementing those recommendations.

The post Audit of Utah Department of Health and Human Services Identifies Critical Privacy & Security Weaknesses appeared first on The HIPAA Journal.

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has established a civil enforcement program for the 42 CFR Part 2 – Confidentiality of Substance Use Disorder Patient Records (Part 2) regulations.

The Coronavirus Aid, Relief, and Economic Security (CARES) Act, an economic stimulus bill signed into law on March 27, 2020, included a section (Section 3221) related to the confidentiality and disclosure of substance use disorder (SUD) records. The CARES Act directed the HHS to implement changes to align the Part 2 regulations more closely with the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules, to enhance protections and improve patient rights, while allowing a more flexible approach to the sharing of SUD records with patient consent to improve care coordination.

In February 2024, the HHS issued a final rule that modified the Part 2 regulations by implementing the changes mandated by Section 3221 of the CARES Act. The final rule improves coordination among providers treating patients for SUD, aligns certain Part 2 requirements with the HIPAA Privacy Rule and HIPAA Breach Notification Rule, and enhances integration of behavioral health information with other medical records to improve patient health outcomes.

The final rule also implemented a new penalty structure, mirroring that of HIPAA, as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. OCR has been granted authority to enforce compliance, and if violations are identified, they will be subject to the same range of enforcement mechanisms as HIPAA. Violations of the Part 2 regulations can be resolved with civil monetary penalties, resolution agreements, monetary settlements, and corrective action plans to address areas of noncompliance.

The enforcement program uses newly established mechanisms of civil enforcement to protect the confidentiality of SUD records by covered SUD programs. “At President Trump’s direction, HHS is aggressively enforcing federal safeguards to protect substance use disorder patient records as part of the Great American Recovery Initiative,” said HHS Secretary Robert F. Kennedy, Jr. “Americans seeking treatment for substance use disorder deserve comprehensive care without sacrificing their privacy or legal protections.”

This is the first time that mechanisms have been established and will help to ensure that the privacy of Americans seeking treatment for substance use disorder is protected. “OCR’s civil enforcement program will instill confidence in patients and encourage them to seek SUD treatment from covered SUD providers. At the same time, compliance with the updated Part 2 regulation will improve care coordination and reduce administrative burdens,” said OCR Director Paula M. Stannard. “OCR is uniquely positioned to enforce patient rights and the regulated community’s obligations given our extensive experience administering compliance and enforcement programs for health information privacy, security, and breach notification under HIPAA.”

OCR must be notified about any breach of SUD records, and the agency will investigate breaches to determine if they were the result of noncompliance. On February 16, 2026, OCR started accepting complaints about potential violations of the Part 2 regulations, including civil rights and breach notifications related to SUD records.

Complaints about potential Part 2 violations should be submitted via the OCR breach portal. Individuals are encouraged to file a complaint if they believe that their civil rights or health information privacy have been violated, but also if they suspect that the civil rights or health information privacy of other individuals have been violated. Complaints will be investigated, and if substantiated, violations will be resolved through the newly established enforcement mechanisms.

The OCR breach portal has been updated to show entities and individuals that have experienced breaches of Part 2 records. As with the section of the OCR breach portal for HIPAA breach reports, a summary of each breach of Part 2-covered records is listed. The listings include basic information about the breach – The name of the Part 2 Program, state, individuals affected, breach submission date, type of breach, and the location of breached information. When OCR has completed its investigation of the breach, the complaints will be moved to the archive, with brief notes added from OCR’s investigation. The breach portal only includes large breaches of SUD records – those affecting 500 or more individuals. Smaller breaches are not made public, although the breach reporting requirements are the same, irrespective of the size of the breach.

The post HHS Office for Civil Rights Establishes Part 2 Enforcement Program appeared first on The HIPAA Journal.