HIPAA Compliance News

Trump Administration Announces Plan to Improve Patient Data Sharing

Posted August 1, 2025 by Steve Alder

This week, the Trump Administration announced a new initiative aimed at improving interoperability and the exchange of healthcare data, and has obtained pledges from leading healthcare and technology firms to create a foundation for a next-generation digital health ecosystem, which will improve patient outcomes, reduce provider burden, and drive value.

The initiative was announced during a HHS’ Centers for Medicare & Medicaid Services (CMS) hosted White House event dubbed “Make Health Tech Great Again,” and follows years of bipartisan efforts to improve interoperability and eradicate information blocking to improve the quality of care and eliminate waste. “For decades, bureaucrats and entrenched interests buried health data and blocked patients from taking control of their health,” said HHS Secretary Robert F. Kennedy, Jr. “That ends today. We’re tearing down digital walls, returning power to patients, and rebuilding a health system that serves the people. This is how we begin to Make America Healthy Again.”

At the event, the CMS fleshed out its plan, which includes voluntary criteria for trusted, patient-centered, and practical data exchange for all network types: health information networks, exchanges, electronic health records (EHR), and tech platforms. The effort is focused on two key areas: promoting a voluntary CMS Interoperability Framework that will allow data to be easily shared between patients and providers, and making personalized tools available to give patients the information and resources they need to make better health decisions. Under the initiative, more than 60 companies have pledged to work collaboratively to deliver results by the first quarter of 2026, including tech firms such as Amazon, Anthropic, Apple, Google, and OpenAI.

The initiative has been welcomed by the HHS’ Office for Civil Rights (OCR), which for several years has had a HIPAA enforcement initiative targeting noncompliance with the HIPAA Right of Access. Under that initiative, more than 50 healthcare providers have paid financial penalties for failing to provide patients with timely access to their medical records, as required by the HIPAA Privacy Rule. While patients can receive copies of their health records under HIPAA, there are still barriers to sharing that information with others. Under this initiative, tools will be made available to make data sharing as simple as providing a QR code to a new healthcare provider to transfer medical records.

“[OCR] supports actions that improve the timeliness in providing individuals with access to their electronic protected health information, without sacrificing health information privacy and security,” said OCR Director Paula M. Stannard. “If an individual receives another individual’s electronic protected health information in error, generally, OCR’s primary HIPAA enforcement interests are ensuring that the affected individual and HHS receive timely HIPAA breach notification.”

More than 21 networks have agreed to adopt the voluntary criteria to become CMS-aligned networks, and 30 companies have pledged to provide apps that will use secure digital identity credentials to obtain electronic medical records from CMS alligned networks and facilitate data sharing. Apps will be developed to help in key areas, such as helping patients with diabetes and obesity management, conversational AI assistants will be available for checking symptoms, scheduling appointments, and navigating care options, and “kill the clipboard” tools will be made available to replace intake forms with secure digital check-in methods.

One of the tech companies participating in the effort is CLEAR, a secure identity platform provider. “We are excited that identity services – like CLEAR – are making it possible for patients and providers to use verified, secure identity as part of CMS’s Health Tech Ecosystem,” said Amy Gleason, Acting Administrator for the U.S. DOGE Service and Strategic Advisor to the CMS. “Checking in at the doctor’s office should be the same as boarding a flight. Patients should be able to scan a QR code to instantly and safely share their identity, insurance, and medical history”.

The HHS has confirmed that all of the proposals will be compliant with the HIPAA Privacy and Security Rules. While that is no doubt true, once a healthcare provider has provided a patient with a copy of their records, those records are no longer protected by HIPAA. Patients must ensure they exercise caution when sharing their records with any third party, as uses and disclosures of the shared information may not be subject to HIPAA protections.

“Improving health tech interoperability can eliminate frustrating inefficiencies and empower patients and providers. But health data is some of the most sensitive information people can share — and it must be protected responsibly,” said Andrew Crawford, Senior Counsel, Privacy & Data, and the Center for Democracy & Technology. “The U.S. doesn’t have a general-purpose privacy law, and HIPAA only protects data held by certain people like healthcare providers and insurance companies. Many health and AI apps, including some being promoted by the Trump Administration, are typically not covered by HIPAA. That could put sensitive information in real danger.”

The post Trump Administration Announces Plan to Improve Patient Data Sharing appeared first on The HIPAA Journal.

New York Surgery Center Pays $250K to Settle HIPAA Risk Analysis; Breach Notification Violations

Posted July 24, 2025 by Steve Alder

Department of Health and Human Services (HHS) Office for Civil Rights (OCR) Director, Paula M. Stannard, has announced OCR’s 18^th HIPAA penalty of the year. Syracuse ASC, which does business as Specialty Surgery Center of Central New York, a single-facility ambulatory surgery center in Liverpool, New York, has agreed to settle alleged violations of the HIPAA Security Rule and HIPAA Breach Notification Rule and will pay a $250,000 financial penalty.

OCR launched an investigation of Syracuse ASC after receiving a data breach notification report on October 14, 2021, about a hacking incident involving unauthorized access to the protected health information of 24,891 current and former patients. A threat actor had access to its network from March 14, 2021, through March 31, 2021, and potentially obtained names, dates of birth, Social Security numbers, financial information, and clinical treatment information. OCR investigation confirmed that this was a ransomware attack involving PYSA ransomware.

OCR’s investigation uncovered no evidence to suggest that Syracuse ASC had ever conducted a risk analysis to identify potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information, as required by the HIPAA Security Rule – 45 C.F.R. §164.308(a)(1)(ii)(A). OCR also determined that Syracuse ASC had failed to issue timely notifications to the HHS Secretary and the affected individuals. The data breach was identified on March 31, 2021, yet notifications were not issued for six and a half months. The HIPAA Breach Notification Rule requires notifications to be issued within 60 days of the discovery of a data breach – 45 C.F.R. § 164.404(b) and 45 C.F.R. § 164.408(b).

Syracuse ASC was given the opportunity to resolve the alleged HIPAA violations informally, and the case was settled. Syracuse ASC has agreed to pay a $250,000 penalty and adopt a corrective action plan to ensure compliance with the HIPAA Rules. The corrective action plan requires Syracuse ASC to conduct an accurate and thorough risk analysis; develop and implement a risk management plan; develop, implement and maintain policies and procedures to ensure compliance with the HIPAA Rules; distribute those policies and procedures to the workforce; and provide the workforce with training on those policies and procedures at least every 12 months.

“Conducting a thorough HIPAA-compliant risk analysis (and developing and implementing risk management measures to address any identified risks and vulnerabilities) is even more necessary as sophisticated cyberattacks increase,” said OCR Director Paula M. Stannard. “HIPAA covered entities and business associates make themselves soft targets for cyberattacks if they fail to implement the HIPAA Security Rule requirements.”

OCR penalties for HIPAA violations - 2017 - 2025

The post New York Surgery Center Pays $250K to Settle HIPAA Risk Analysis; Breach Notification Violations appeared first on The HIPAA Journal.

Medical Imaging Service Provider Settles HIPAA Risk Analysis & Breach Notification Failures

Posted May 16, 2025 by Steve Alder

The HHS’ Office for Civil Rights has announced its 8th financial penalty under the Trump administration, with the latest financial penalty resolving an alleged violation of the risk analysis provision of the HIPAA Security Rule and a violation of the HIPAA Breach Notification Rule. The California magnetic resonance imaging (MRI) service provider, Vision Upright MRI LLC, has agreed to settle the alleged violations and will pay a $5,000 financial penalty.

OCR currently has a risk analysis enforcement initiative and has imposed 9 penalties under this initiative. OCR is focusing on risk analysis compliance as the risk analysis is a foundational Security Rule requirement that is essential for risk management and implementing safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI). The failure to conduct a comprehensive and accurate risk analysis is also one of the most commonly identified HIPAA violations.

OCR also appears to be looking closely at Breach Notification Rule compliance. The HIPAA Breach Notification Rule requires notifications to be issued to the HHS Secretary (via the OCR breach portal) and the affected individuals within 60 days of the discovery of a data breach. A media notice is also required for breaches affecting 500 or more individuals. This is the second HIPAA compliance case this year to include a penalty for late breach notifications.

Vision Upright MRI is a small healthcare provider with one location in San Jose, California. OCR notified Vision Upright MRI on December 1, 2020, that OCR had initiated an investigation into compliance with the HIPAA Rules. It is unclear from the settlement agreement how OCR discovered the data breach, as the data breach was not reported to OCR, and the affected individuals were not notified. The breach also does not appear to have been reported to the California Attorney General. The only breach notice on the OCR breach portal from Vision Upright MRI is a March 10, 2025, breach with 23,031 affected individuals.

OCR’s investigation revealed Vision Upright MRI had never conducted a comprehensive and accurate risk analysis to identify risks and vulnerabilities to ePHI, and also failed to notify the affected individuals within 60 days of the discovery of a data breach. OCR said the ePHI of 21,778 individuals, including medical images and associated ePHI, was stored on an unsecured Picture Archiving and Communication System (PACS) server. The server and PACS were used for storing, retrieving, managing, and accessing radiology images, and the server had been accessed by an unauthorized third party. It is unclear whether the access was by a hacker, a security researcher, or another individual.

Under the terms of the settlement, Vision Upright MRI will pay a $5,000 financial penalty and adopt a corrective action plan (CAP) to ensure HIPAA compliance. Compliance with the CAP will be monitored by OCR for 2 years. The CAP requires Vision Upright MRI to conduct a comprehensive and accurate risk analysis to identify risk and vulnerabilities to ePHI; develop, implement, and maintain a risk management plan to reduce any risks and vulnerabilities identified through the risk analysis to a low and acceptable level; develop, implement, and maintain policies and procedures to comply with the HIPAA Rules; distribute the policies and procedures to the workforce and provide HIPAA training; and issue breach notifications to the HHS, the media, and the affected individuals.

“Cybersecurity threats affect large and small covered health care providers,” OCR Acting Director Anthony Archeval said. “Small providers also must conduct accurate and thorough risk analyses to identify potential risks and vulnerabilities to protected health information and secure them.”

OCR HIPAA Fines and settlements 2017 to 2025

The post Medical Imaging Service Provider Settles HIPAA Risk Analysis & Breach Notification Failures appeared first on The HIPAA Journal.

Healthcare Workers Violating Patient Privacy by Uploading Sensitive Data to GenAI and Cloud Accounts

Posted May 14, 2025 by Steve Alder

Research conducted by the cybersecurity company Netskope indicates healthcare workers routinely expose sensitive data such as protected health information (PHI) by using generative AI tools such as ChatGPT and Google Gemini and by uploading data to personal cloud storage services such as Google Drive and OneDrive.

The healthcare industry has fully embraced AI tools, with almost all organizations using AI tools to some degree to improve efficiency. According to data collected by Netskope Threat Labs, 88% of healthcare organizations have integrated cloud-based genAI apps into their operations, 98% use apps that incorporate genAI features, 96% use apps that leverage user data for training, and 43% are experimenting with running genAI infrastructure locally.

As more healthcare organizations incorporate AI tools into their operations and make them available to their workforces, fewer healthcare workers are using personal AI accounts for work purposes; however, 71% of healthcare workers still use personal AI accounts, down from 87% the previous year. If genAI tools are not HIPAA-compliant and the developers will not sign business associate agreements, using those tools with PHI violates HIPAA and puts organizations at risk of regulatory penalties. Further, uploading patient data to genAI tools and cloud storage services without robust safeguards in place can erode patient trust.

“Beyond financial consequences, breaches erode patient trust and damage organizational credibility with vendors and partners,” Ray Canzanese of Netskope said. It is clear that there needs to be greater oversight of the use of AI tools, and a pressing need for authorized tools to be provided to reduce “shadow AI” risks.

According to Netskope, the mishandling of HIPAA-regulated data is the leading security concern in the healthcare sector, and PHI is the most common type of sensitive data uploaded to personal cloud apps, genAI apps, and other unapproved locations. Netskope reports that 81% of all data policy violations were for regulated healthcare data, with the remainder including source code, secrets, and intellectual property.

“Healthcare organizations must balance the benefits of genAI with the implementation of strict data governance policies to mitigate associated risks,” warns Netskope. Netskope recommends the adoption of enterprise-grade genAI applications with robust security features to ensure that sensitive and regulated data is properly protected, along with data loss prevention (DLP) tools for monitoring and controlling access to genAI tools to prevent privacy violations. Netskope says 54% of healthcare organizations now have DLP policies, up from 31% the previous year. The most commonly blocked genAI apps in healthcare are DeepAI, Tactiq, and Scite, with 44%, 40%, and 36% of healthcare organizations blocking these apps with their DLP tools due to privacy risks and there being more secure alternatives.

While genAI tools certainly have a place in healthcare and can help improve efficiency, there are significant security challenges. Netskope warns that healthcare organizations must remain vigilant, implement comprehensive security measures, and enforce data protection policies, as well as incorporate the risks into their cybersecurity awareness training.

The report also warns of the risk of malware infections via cloud apps. Threat actors are increasingly using cloud apps to deploy information stealers and ransomware, with GitHub, OneDrive, Amazon S3, and Google Drive being the most common. Rather than trying to breach networks themselves, threat actors use social engineering to trick healthcare employees into compromising their own systems with first-stage malware payloads, which give threat actors initial access to networks. Netskope recommends inspecting all HTTP and HTTPS traffic for phishing and malware, blocking apps that serve no business purpose or pose a disproportionate risk to the organization, and using remote browser isolation technology when categories of websites need to be visited that pose a higher risk, such as newly registered domains.

The post Healthcare Workers Violating Patient Privacy by Uploading Sensitive Data to GenAI and Cloud Accounts appeared first on The HIPAA Journal.

New York Neurology Practice Pays $25,000 to Resolve Alleged Risk Analysis Violation

Posted April 28, 2025 by Steve Alder

The HHS’ Office for Civil Rights (OCR) has announced another settlement to resolve an alleged violation of the risk analysis implementation specification of the HIPAA Security Rule. Comprehensive Neurology PC, a small neurology practice in New York City that specializes in diagnosing and treating neurological conditions such as dementia, Parkinson’s disease, epilepsy, and memory loss, has agreed to settle the alleged violation and pay a $25,000 financial penalty.

The alleged HIPAA violation was identified by OCR during an investigation of a 2020 data breach that involved unauthorized access to the electronic protected health information (ePHI) of 6,800 individuals. OCR was informed of the data breach on December 17, 2020. Comprehensive Neurology discovered it had been attacked with ransomware on December 14, 2020, when staff were prevented from accessing patients’ medical records. The forensic investigation confirmed that the ePHI of 6,800 individuals had been exposed and potentially stolen in the attack, including names, clinical information, health insurance information, demographic information, Social Security numbers, driver’s license numbers, and state identification numbers.

OCR’s investigation revealed that Comprehensive Neurology had failed to conduct a comprehensive and accurate risk analysis to identify risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI, as required by 45 C.F.R. §164.308(a)(1)(ii)(A) of the HIPAA Security Rule. Comprehensive Neurology was given an opportunity to settle the alleged HIPAA violation informally and agreed to pay a financial penalty and adopt a corrective action plan. OCR will monitor Comprehensive Neurology for compliance with the corrective action plan for two years.

The corrective action plan requires Comprehensive Neurology to:

Conduct a comprehensive, accurate, and organization-wide risk analysis
Develop and implement a risk management plan to reduce the identified risks and vulnerabilities to a low and acceptable level
Develop, implement, and maintain policies and procedures to ensure compliance with the HIPAA Rules
Distribute those policies and procedures to members of the workforce
Provide training to the workforce on those policies and procedures
Submit an implementation report to OCR and annual reports confirming compliance with the corrective action plan
Ensure that any data breaches or compliance violations are reported to OCR promptly

It has been a busy month of HIPAA enforcement for OCR. So far this month, OCR has announced four settlements with HIPAA-regulated entities to resolve alleged violations of the HIPAA Rules, and seven penalties this year under the Trump administration. All seven of the enforcement actions include penalties for risk analysis failures. The settlement with Comprehensive Neurology was OCR’s 12^th investigation of a ransomware attack to result in a financial penalty for HIPAA compliance failures, and the 8^th enforcement action under OCR’s risk analysis enforcement initiative. OCR explained that by focusing on risk analyses, the most commonly identified HIPAA violation, OCR can increase the number of closed investigations and highlight the importance of compliance with this foundational HIPAA Security Rule requirement.

“Effective cybersecurity requires proactively implementing the HIPAA Security Rule requirements before a breach or cybersecurity incident occurs,” said OCR Acting Director Anthony Archeval. “OCR urges health care entities to prioritize compliance with the HIPAA Security Rule risk analysis requirement.”

HIPAA violation penalties 2020-2025

The post New York Neurology Practice Pays $25,000 to Resolve Alleged Risk Analysis Violation appeared first on The HIPAA Journal.

OCR Explains Department’s Key Priorities at HHS-NIST Conference

Posted October 28, 2024 by Steve Alder

Last week, the Department of Health and Human Services (HHS) and the National Institute for Standards and Technology (NIST) hosted the Safeguarding Health Information: Building Assurance Through HIPAA Security 2024 conference after a 5-year absence. Attendees learned about the current cybersecurity landscape in healthcare, how compliance with the HIPAA Security Rule can help HIPAA-regulated entities combat cyber threats, and were provided with practical tips and techniques for implementing the requirements of the HIPAA Security Rule.

On October 24, 2024, in a keynote speech, OCR Director Melanie Fontes Rainer provided an update on OCR’s main priorities. One of the key priorities is an update to the HIPAA Security Rule to add new cybersecurity requirements. OCR has been working on an update to the HIPAA Security Rule this year and has now finalized its proposed rule. The proposed rule is now being reviewed by the Office of Management and Budget (OMB) and Fontes Rainer anticipates publishing a Notice of Proposed Rulemaking (NPRM) before the end of the year.

Fontes Rainer did not share any of the cybersecurity measures that have been added, only confirming that since this will be the first time in two decades that the HIPAA Security Rule has been updated, there will be “substantive updates.” The process of rulemaking has been informed by thousands of investigations of healthcare data breaches and complaints, which has allowed OCR to develop a more robust HIPAA Security Rule to make sure the healthcare sector is much more secure. When the NPRM is published, likely to be in December 2024, healthcare industry stakeholders will be able to submit their feedback and have their say. Fontes Rainer said the department is looking forward to the opportunity to engage with the healthcare community through the public commenting process.

Fontes Rainer explained that OCR has continued to investigate complaints and data breaches and has imposed several financial penalties this year to resolve noncompliance issues. This year, as well as its enforcement actions over the past 15 years, have uncovered the same noncompliance issues time and time again. One of the most commonly identified issues, and one of the main areas of noncompliance to result in financial penalties, is noncompliance with the risk analysis provision of the HIPAA Security Rule. In many investigations, OCR has discovered the failure to conduct a comprehensive, organization-wide risk analysis to identify risks and vulnerabilities to ePHI, incomplete risk analyses, and compliance with that requirement but a failure to act on the information gathered during the risk analysis and manage and reduce risks to a low and acceptable level. The importance of compliance with this issue is why OCR has made the risk analysis requirement an enforcement initiative.

OCR has received many complaints in recent years about the failure to provide individuals with a copy of their requested records, as required by the HIPAA Right of Access. It is one of the most common reasons for individuals filing complaints with OCR. In response, OCR launched a HIPAA Right of Access enforcement initiative in 2019 and in the years since has imposed 50 financial penalties for the failure to provide timely access to medical records.

Investigations of complaints and data breaches will remain a key priority for the department but financial penalties are relatively rare. The majority of investigations where noncompliance is discovered are resolved through technical assistance, highlighting how OCR works with HIPAA-regulated entities to help them comply with the regulations. Fontes Rainer said the reason compliance issues are flagged is because compliance is important and must be addressed.

The other main focus of OCR is to engage with the healthcare sector on cybersecurity matters but Fontes Rainer said the department is fairly small, has an extensive workload, and limited budget, so OCR’s efforts to engage with the community need to be highly focused and strategic. She said it is vital that OCR and the healthcare community work together to drive forward compliance and improve cybersecurity. OCR has increased engagement through webinars, YouTube videos, and newsletters in an effort to reach more members of the community and combat the growing threat of cyberattacks and data breaches – which affected more than 160 million individuals last year.

The post OCR Explains Department’s Key Priorities at HHS-NIST Conference appeared first on The HIPAA Journal.

Heritage Valley Health System Pays $950,000 to Settle Alleged HIPAA Security Rule Violations

Posted July 2, 2024 by Steve Alder

The HHS’ Office for Civil Rights (OCR) has agreed to settle alleged HIPAA Security Rule violations with Heritage Valley Health System for $950,000. Heritage Valley is a 3-hospital health system with more than 50 physician offices and many community satellite facilities in Pennsylvania, eastern Ohio, and the panhandle of West Virginia.

In 2017, Heritage Valley was affected by a global malware attack that saw NotPetya malware installed on its network via a connection with its business associate, Nuance Communications. OCR launched an investigation of Heritage Valley in October 2017 following media reports of a data security incident to determine whether Heritage Valley was compliant with the requirements of the HIPAA Security Rule.

OCR’s investigation uncovered multiple Security Rule compliance failures, including the most commonly identified Security Rule issue – The failure to conduct an accurate and thorough risk analysis to identify potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI), as required by 45 C.F.R. § 164.308(a)(1)(ii)(A).

The HIPAA Security Rule – 45 C.F.R. § 164.308(a)(7) – requires covered entities to develop and implement a contingency plan for responding to an emergency that damages systems containing ePHI. Heritage Valley was found not to be compliant with this requirement. OCR also identified a failure to implement technical policies and procedures for electronic information systems that maintain ePHI only to permit access by authorized persons or software programs – 45 C.F.R. § 164.308(a)(4) and 164.312(a)(1)).

The healthcare industry is being targeted by ransomware groups and ransomware-related data breaches have increased by 264% since 2018. Healthcare organizations that are fully compliant with the HIPAA Security Rule can reduce the risk of a ransomware attack succeeding and can limit the harm caused in the event of a successful attack.

In addition to paying the financial penalty, Heritage Valley has agreed to implement a corrective action plan, compliance with which will be monitored by OCR for 3 years. The corrective action plan includes the requirement to conduct an accurate and thorough risk analysis, implement a risk management plan to reduce identified risks and vulnerabilities and review, develop, maintain, and revise as necessary its written policies and procedures to comply with the HIPAA Rules and provide training to the workforce on those policies and procedures.

“Hacking and ransomware are the most common type of cyberattacks within the health care sector. Failure to implement the HIPAA Security Rule requirements leaves health care entities vulnerable and makes them attractive targets to cyber criminals,” said OCR Director Melanie Fontes Rainer. “Safeguarding patient-protected health information protects privacy and ensures continuity of care, which is our top priority. We remind and urge health care entities to protect their records systems and patients from cyberattacks.”

This is the third OCR HIPAA penalty imposed in response to a ransomware attack and the fifth HIPAA enforcement action of 2024 to result in a financial penalty.

When announcing the enforcement action, OCR took the opportunity to remind all HIPAA-regulated entities of their responsibilities under the HIPAA Security Rule to take action to mitigate or prevent cyber threats. These include:

Reviewing relationships with business associates, ensuring a business associate agreement is in place, and addressing data breach and security incident obligations
Integrating risk analysis and risk management into business processes, and conducting risk analyses when new technologies are implemented and business operations change.
Ensuring an audit trail is maintained and information system activity is regularly reviewed
Encrypting ePHI to prevent unauthorized access and implementing multifactor authentication on accounts
Providing regular training to the workforce specific to the organization and job responsibilities and reinforcing the role of members of the workforce with respect to privacy and security
When security incidents occur, incorporate the lessons learned into the security management process.

The post Heritage Valley Health System Pays $950,000 to Settle Alleged HIPAA Security Rule Violations appeared first on The HIPAA Journal.

March 2024 Healthcare Data Breach Report

Posted April 23, 2024 by Steve Alder

March was a particularly bad month for healthcare data breaches with 93 branches of 500 or more records reported to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), a 50% increase from February and a 41% year-over-year increase from March 2023. The last time more than 90 data breaches were reported in a single month was September 2020.

The reason for the exceptionally high number of data breaches was a cyberattack on the rehabilitation and long-term acute care hospital operator Ernest Health. When a health system experiences a breach that affects multiple hospitals, the breach is usually reported as a single breach. In this case, the breach was reported individually for each of the 31 affected hospitals. Had the breach been reported to OCR as a single breach, the month’s breach total would have been 60, well below the average of 66.75 breaches a month over the past 12 months.

While the breach total was high, the number of individuals affected by healthcare data breaches fell for the fourth consecutive month to the lowest monthly total since January 2023. Across the 93 reported data breaches, the protected health information of 2,971, 249 individuals was exposed or impermissibly disclosed – the lowest total for March since 2020.

Biggest Healthcare Data Breaches in March 2024

18 data breaches were reported in March that involved the protected health information of 10,000 or more individuals, all of which were hacking incidents. The largest breach of the month was reported by the Pennsylvanian dental care provider, Risa’s Dental and Braces. While the breach was reported in March, it occurred 8 months previously in July 2023. A similarly sized breach was reported by Oklahoma’s largest emergency medical care provider, Emergency Medical Services Authority. Hackers gained access to its network in February and stole files containing names, addresses, dates of birth, and Social Security numbers.

Philips Respironics, a provider of respiratory care products, initially reported a hacking-related breach to OCR involving the PHI of 457,152 individuals. Hackers gained access to the network of the Queens, NY-based billing service provider M&D Capital Premier Billing in July 2023, and stole files containing the PHI of 284,326 individuals, an August 2023 hacking incident was reported by Yakima Valley Radiology in Washington that involved the PHI of 235,249 individuals, and the California debt collection firm Designed Receivable Solutions, experienced a breach of the PHI of 129,584 individuals. The details of the breach are not known as there has been no public announcement other than the breach report to OCR.

Name of Covered Entity	State	Covered Entity Type	Individuals Affected	Breach Cause
Risas Dental & Braces	PA	Healthcare Provider	618,189	Hacking Incident
Emergency Medical Services Authority	OK	Healthcare Provider	611,743	Hacking Incident
Philips Respironics	PA	Business Associate	457,152	Exploited software vulnerability (MoveIT Transfer)
M&D Capital Premier Billing LLC	NY	Business Associate	284,326	Hacking Incident
Yakima Valley Radiology, PC	WA	Healthcare Provider	235,249	Hacked email account
Designed Receivable Solutions, Inc.	CA	Business Associate	129,584	Hacking Incident
University of Wisconsin Hospitals and Clinics Authority	WI	Healthcare Provider	85,902	Compromised email account
Aveanna Healthcare	GA	Healthcare Provider	65,482	Compromised email account
Ezras Choilim Health Center, Inc.	NY	Healthcare Provider	59,861	Hacking Incident (data theft confirmed)
Valley Oaks Health	IN	Healthcare Provider	50,034	Hacking Incident
Family Health Center	MI	Healthcare Provider	33,240	Ransomware attack
CCM Health	MN	Healthcare Provider	28,760	Hacking Incident
Weirton Medical Center	WV	Healthcare Provider	26,793	Hacking Incident
Pembina County Memorial Hospital	ND	Healthcare Provider	23,811	Hacking Incident (data theft confirmed)
R1 RCM Inc.	IL	Business Associate	16,121	Hacking Incident (data theft confirmed)
Ethos, also known as Southwest Boston Senior Services	MA	Business Associate	14,503	Hacking Incident
Pomona Valley Hospital Medical Center	CA	Healthcare Provider	13,345	Ransomware attack on subcontractor of a vendor
Rancho Family Medical Group, Inc.	CA	Healthcare Provider	10,480	Cyberattack on business associate (KMJ Health Solutions)

Data Breach Causes and Location of Compromised PHI

As has been the case for many months, hacking incidents dominated the breach reports. 76 of the month’s breaches were classed as hacking/IT incidents, which involved the records of 2,918,585 individuals, which is 98.2% of all records compromised in March. The average breach size was 38,402 records and the median breach size was 3,144 records. The nature of the hacking incidents is getting harder to determine as little information about the incidents is typically disclosed in breach notifications, such as whether ransomware or malware was used. The lack of information makes it hard for the individuals affected by the breach to assess the level of risk they face. Many of these breaches were explained as “cyberattacks that caused network disruption” in breach notices, which suggests they were ransomware attacks.

There were 11 unauthorized access/disclosure incidents reported involving a total of 36,533 records. The average breach size was 3,321 records and the median breach size was 1,956 records. There were 4 theft incidents and 1 loss incident, involving a total of 15,631 records (average: 3,126 records; median 3,716 records), and one improper disposal incident involving an estimated 500 records. The most common location for breached PHI was network servers, which is to be expected based on the number of hacking incidents, followed by compromised email accounts.

Where Did the Data Breaches Occur?

The OCR data breach portal shows there were 77 data breaches at healthcare providers (2,030,568 records), 10 breaches at business associates (920,522 records), and 6 data breaches at health plans (20,159 records). As OCR recently confirmed in its Q&A for healthcare providers affected by the Change Healthcare ransomware attack, it is the responsibility of the covered entity to report breaches of protected health information when the breach occurs at a business associate; however, the responsibility for issuing notifications can be delegated to the business associate. In some cases, data breaches at business associates are reported by the business associate for some of the affected covered entity clients, with some covered entities deciding to issue notifications themselves. That means that data breaches at business associates are often not abundantly clear on the breach portal. The HIPAA Journal has determined the location of the breaches, with the pie charts below show where the breaches occurred, rather than the entity that reported the breach.

Geographical Distribution of Healthcare Data Breaches

In March, data breaches were reported by HIPAA-regulated entities in 33 U.S. states. Texas was the worst affected state with 16 breaches reported, although 8 of those breaches were reported by Ernest Health hospitals that had data compromised in the same incident. California experienced 10 breaches, including 3 at Ernest Health hospitals, with New York also badly affected with 7 reported breaches.

State	Breaches
Texas	16
California	10
New York	7
Pennsylvania	6
Indiana	5
Colorado & Florida	4
Illinois, Ohio & South Carolina	3
Arizona, Idaho, Massachusetts, Michigan, Minnesota, New Mexico, North Carolina, Oklahoma & Utah	2
Alabama, Georgia, Kansas, Kentucky, Nevada, New Jersey, North Dakota, Oregon, Tennessee, Virginia, Washington, West Virginia, Wisconsin & Wyoming	1

HIPAA Enforcement Activity in March 2024

OCR announced one settlement with a HIPAA-regulated entity in March to resolve alleged violations of the HIPAA Rules. The Oklahoma-based nursing care company Phoenix Healthcare was determined to have failed to provide a daughter with a copy of her mother’s records when the daughter was the personal representative of her mother. It took 323 days for the records to be provided, which OCR determined was a clear violation of the HIPAA Right of Access and proposed a financial penalty of $250,000.

Phoenix Healthcare requested a hearing before an Administrative Law Judge, who upheld the violations but reduced the penalty to $75,000. Phoenix Healthcare appealed the penalty and the Departmental Appeals Board affirmed the ALJ’s decision; however, OCR offered Phoenix Healthcare the opportunity to settle the alleged violations for $35,000, provided that Phoenix Healthcare agreed not to challenge the Departmental Appeals Board’s decision.

The post March 2024 Healthcare Data Breach Report appeared first on HIPAA Journal.

New Jersey Nursing Facility to Pay $100,000 CMP to Resolve HIPAA Right of Access Violation

Posted April 2, 2024 by Steve Alder

The HHS’ Office for Civil Rights has announced another financial penalty has been imposed for a violation of the HIPAA Right of Access. Essex Residential Care, LLC, which does business as Hackensack Meridian Health, West Caldwell Care Center in New Jersey, has been ordered to pay a civil monetary penalty of $100,000 to resolve the alleged violation.

Hackensack Meridian Health operates skilled nursing facilities in New Jersey, including the West Caldwell Care Center. In May 2020, OCR received a complaint from the son of a mother who had received care at West Caldwell Care Center who alleged he had not been provided with a copy of her medical records within the 30 days allowed by the HIPAA Privacy Rule.

Son Not Provided with His Mother’s Records within 30 Days

The complainant was the personal representative of his mother and therefore should have been provided with a copy of his mother’s medical records. The complainant first asked for a copy of the records on April 19, 2020, via email, and on April 23, 2020, an administrator at West Caldwell Care Center advised him that the records could not be provided without a copy of a power of attorney, medical proxy or similar document executed by the mother, confirming that he was her personal representative.

The appropriate documentation was provided but West Caldwell Care Center still did not provide the requested records, which led to him filing a complaint with OCR. On October 15, 2020, OCR notified West Caldwell Care Center that an investigation had been opened as a result of the complaint and the correspondence included a data request pursuant to the investigation.

West Caldwell Care Center responded and acknowledged that the records had not been provided within the allowed 30 days and, in response to OCR’s investigation, sent the requested records in late November, which were received by the complainant on December 1, 2020, 161 days after the initial request was made.

West Caldwell Care Center Disagreed with OCR’s Determination

Most HIPAA Right of Access investigations are informally settled with OCR, a financial penalty is paid, and the covered entity agrees to adopt a corrective action plan which includes updates to its policies and procedures and training on HIPAA policies for staff members. In this case, West Caldwell Care Center’s attorney disagreed with OCR’s proposed resolution of the investigation. OCR then notified West Caldwell Care Center that the investigation had uncovered preliminary indications of non-compliance with the HIPAA Right of Access, and OCR provided West Caldwell Care Center with the opportunity to submit evidence of mitigating factors.

West Caldwell Care Center acknowledged that the complainant was not provided with the requested records, but the records were provided to another facility to which his mother had been transferred. West Caldwell Care Center also said that at the time of the initial request, there was ongoing litigation due to the non-payment of care costs. As another mitigating factor, West Caldwell Care Center said it was dealing with the COVID-19 pandemic, and that the complainant filed a complaint with OCR exactly 30 days after the request was made before West Caldwell Care Center’s response to the initial request was due. West Caldwell Care Center accepted that the matter should have been handled differently.

$100,000 Civil Monetary Penalty Imposed

OCR determined that West Caldwell Care Center failed to provide the requested records within the 30 days allowed by the HIPAA Privacy Rule and that the delay from June 23, 2020, to December 1, 2020, was a violation of the HIPAA Right of Access. The maximum civil monetary penalty was $206,080 based on the reasonable cause penalty tier (see: What are the penalties for HIPAA violations); however, per OCR’s reinterpretation of the language of the HITECH Act and its subsequent Notice of Enforcement Discretion, the penalty was capped at $100,000.

West Caldwell Care Center argued that a civil monetary penalty was not permitted because the violation was not due to wilful neglect and was timely corrected and that imposing a civil monetary penalty would be arbitrary and capricious and would violate the Administrative Procedure Act (APA). OCR disagreed that the violation was timely corrected and said the affirmative defense requirements were not met, and that the penalty was appropriate and reasonable given that the violation did not violate the APA and that the civil penalty amount was reasonable given the substantial delay providing the requested records.

West Caldwell Care Center said its staff believed they had responded in the allowed time frame by transferring the records to another facility; however, OCR’s view was that the records were not provided to the personal representative as required by HIPAA. West Caldwell Care Center was advised of its right to request a hearing with an administrative law judge; but on advice from its legal counsel, chose to waive that right.

“A patient’s timely access to health records is paramount for medical care. The Office for Civil Rights continues to receive complaints from individuals and personal representatives on behalf of individuals who do not receive timely access to their health records,” commented OCR Director Melanie Fontes Rainer. “OCR will continue to vigorously enforce this essential right to ensure compliance by health care facilities across the country.”

This is the fourth financial penalty imposed by OCR in 2024 to resolve alleged HIPAA violations and its 145^th financial penalty to date. OCR has now fined 48 HIPAA-regulated entities for failing to provide patients or their personal representatives with timely access to the requested medical records that they are legally entitled to obtain.

The post New Jersey Nursing Facility to Pay $100,000 CMP to Resolve HIPAA Right of Access Violation appeared first on HIPAA Journal.

Daily HIPAA News, HIPAA RSS Feeds, HIPAA Information