HIPAA Compliance News

December 2025 Healthcare Data Breach Report

Posted by Steve Alder

In the final month of 2025, a further 41 healthcare data breaches affecting 500 or more individuals were reported to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) by HIPAA-regulated entities. December’s total was the joint second-lowest monthly total of the year and the fourth month in a row where data breaches have been reported in unusually low numbers. Over the past four months, an average of 40.75 large data breaches have been reported per month, compared to an average of 66.5 large data breaches per month for the preceding four months. December 2025’s total is the lowest December total since 2019.

Healthcare data breaches in 2025

One possible explanation for the unusually low total is the 43-day government shutdown, due to the failure of Congress to pass appropriations legislation. All but non-essential staff at the HHS were furloughed, during which time no breach reports were added to the OCR breach portal. While data breach reports have now been added to the breach portal for that period, it is possible that OCR has yet to fully clear the backlog, and the totals for September to December may increase over the coming weeks.

December healthcare data breaches 2021-2025

As it stands, there are currently 697 data breaches listed for 2025, a 6% reduction from the 742 large data breaches reported in 2024. The 697 total will almost certainly increase. When we compiled our December 2024 healthcare data breach report on January 20, 2025, 721 large healthcare data breaches were listed. A further 21 were added to the breach portal for 2024 in the following weeks and months.

Individuals affected by healthcare data breaches in 2025

Across the 41 healthcare data breaches currently listed for December 2025, the protected health information of only 345,564 individuals was exposed or impermissibly disclosed. The number of affected individuals in each of the past four months has also been atypically low, with an average of 1,336,061 individuals affected each month. For the preceding four months (May to August), the average monthly total was 8,181,449 individuals. The totals for the past four months will certainly increase, as many data breach investigations are ongoing, and it has yet to be determined how many individuals have been affected.

Individuals affected by December healthcare data breaches 2021-2025

December 2025’s 346,564 affected individuals is the lowest monthly total since December 2017, when 343,260 individuals were affected. Currently, 60,976,942 individuals are known to have been affected by healthcare data breaches in 2025, a 78.9% reduction from 2024, although 2024’s total includes the gargantuan data breach at Change Healthcare, which affected 192,700,000 individuals.

Largest Healthcare Data Breaches Reported in December 2025

Only five data breaches were reported in December that affected 10,000 or more individuals, the largest of which was a hacking incident at the Rochester, NY-based medical supply fulfillment organization, Fieldtex Products. While Fiedtex Products reported a breach affecting 104,071 individuals, in December, a total of four separate breach reports were filed with OCR by Fieldtex Products, affecting a total of 139,009 individuals, plus a further breach report was filed in November, affecting 35,748 individuals. These five incidents are thought to be due to the same hacking incident detected by Fieldtex Products on August 19, 2025.

AllerVie Health, a Texas-based network of allergy and asthma centers, fell victim to a ransomware attack in November 2025, with the hackers found to have had access to its network from October 24, 2025, to November 3, 2025. The Anubis ransomware group claimed responsibility for the attack. Medical Center LLP, doing business as Dublin Medical Center in Georgia, experienced a hacking incident that affected 20,641 individuals, and Variety Care in Oklahoma was affected by a cyberattack on its business associate TriZetto, a provider of administrative services to HIPAA-regulated entities. Variety Care was one of many covered entities affected by the data breach. While the total number of affected individuals has yet to be confirmed, the Trizetto data breach is now known to have affected more than 700,000 individuals.

Name of Covered Entity State Covered Entity Type Individuals Affected Cause of Breach
Fieldtex Products, Inc. NY Business Associate 104,071 Hacking incident
AllerVie Health TX Healthcare Provider 80,521 Ransomware attack (Anubis)
Medical Center, LLP GA Healthcare Provider 32,090 Hacking incident
Fieldtex Products, Inc. NY Business Associate 20,641 Hacking incident
Variety Care OK Healthcare Provider 17,163 Hacking incident at business associate (TriZetto Provider Solutions)

Six data breaches were reported in December 2025, with totals of 500 or 501 affected individuals. These are commonly used ‘placeholder’ estimates when the investigation is still ongoing as the deadline for reporting the data breach to OCR approaches. These totals will almost certainly increase and will be updated when the data breach investigations are concluded.

Name of Covered Entity State Covered Entity Type Individuals Affected Cause of Breach
Associated Radiologists of the Finger Lakes, P.C. NY Business Associate 501 Hacking Incident
Glendale Obstetrics & Gynecology PCA AZ Healthcare Provider 501 Hacking Incident
Reproductive Medicine Associates of Michigan MI Healthcare Provider 501 Hacking incident – Data theft confirmed
Mitchell County Department of Social Services NC Healthcare Provider 501 Ransomware attack – Data theft confirmed
Greater St. Louis Oral & Maxillofacial Surgery PC MO Healthcare Provider 501 Compromised email account in a phishing attack
Madison Healthcare Services MN Healthcare Provider 500 Hacking incident – Worldleaks threat group claimed responsibility

Causes of December 2025 Healthcare Data Breaches

Hacking and other IT incidents accounted for 80.5% of the month’s data breaches, with 33 such incidents reported, affecting 327,095 individuals – 94.4% of the month’s total. The average breach size was 9,912 individuals, and the median breach size was 2,511 individuals. There were 8 unauthorized access/disclosure incidents in December, affecting 19,469 individuals. The average breach size was 2,434 individuals, and the median breach size was 1,469 individuals. No loss, theft, or improper disposal incidents were reported in December.

Causes of December 2025 healthcare data breaches

The most common location of breached protected health information was network servers, followed by six incidents involving compromised email accounts.

Location of breached PHI in December 2025

Where did the Data Breaches Occur?

Healthcare providers were the worst-affected regulated entities in December, reporting 29 of the month’s 41 data breaches (191,900 individuals). Six data breaches were reported by health plans (12,272 individuals) and six by business associates (142,392 individuals). When a data breach occurs at a business associate, it is ultimately the responsibility of each affected covered entity to ensure that breach notifications are sent and OCR is notified. The covered entities may choose to delegate the notification responsibilities to the business associate, although oftentimes, the affected HIPAA-covered entities report the breach. For instance, covered entities affected by the data breach at Trizetto Provider Solutions reported the breach, even though it occurred at their business associate (or subcontractor of their business associate). To better reflect business associates, the charts below show data breach figures based on where the data breach occurred, rather than the entity reporting the data breach.

Data breaches at HIPAA-regulated entities in December 2025

 

Data breaches at HIPAA-regulated entities in December 2025 - individuals affected

Geographic Distribution of Healthcare Data Breaches

California was the worst-affected state in December in terms of data breaches, with nine HIPAA-regulated entities known to have been affected. The high total is due to the data breach at Trizetto Provider Solutions, which was either a business associate of a subcontractor of a business associate of six of the nine affected entities. New York ranked second, but four of its five data breaches were reported by the same entity, Fieldtex Products.

State Data Breaches
California 9
New York 5
Texas 4
Maryland, Michigan, Minnesota, Missouri, Oklahoma, Oregon & Tennessee 2
Arizona, Florida, Georgia, Illinois, Louisiana, Maine, Massachusetts, North Carolina & Ohio 1

While California topped the list for data breaches, New York was the worst state in terms of the number of affected individuals, followed by Texas.

State Individuals Affected
New York 140,320
Texas 85,728
Georgia 32,090
California 31,013
Oklahoma 18,275
Missouri 9,343
Oregon 6,473
Louisiana 4,519
Maryland 4,027
Tennessee 3,138
Illinois 2,511
Massachusetts 1,638
Ohio 1,629
Michigan 1,560
Maine 1,259
Florida 1,036
Minnesota 1,003
Arizona 501
North Carolina 501

HIPAA Enforcement Activity in December 2025

In December, OCR announced one HIPAA enforcement action that involved a financial penalty. Texas-based Concentra, Inc., was investigated after OCR received a complaint from an individual who had not been provided with timely access to his medical and billing records. Concentra agreed to settle the alleged HIPAA Right of Access violation and paid a $112,500 penalty. This was the 54th financial penalty under the HIPAA Right of Access enforcement initiative, which commenced in late 2019 and is ongoing. It has been a busy year of HIPAA enforcement, with OCR resolving 21 HIPAA violation cases with regulated entities in 2025 with a financial penalty. OCR collected $8,330,066 in penalties from those enforcement actions.

State attorneys general also enforce the HIPAA Rules, although 2025 was a quiet year, with only one financial penalty imposed to resolve a data breach investigation. Orthopedics NY LLP (OrthoNY) paid $500,000 to settle alleged cybersecurity failures that led to a breach of the protected health information of more than 656,000 individuals. The New York Attorney General cited violations of HIPAA and state cybersecurity laws.

The post December 2025 Healthcare Data Breach Report appeared first on The HIPAA Journal.

Comstar to Pay State AGs $515,000 to Settle Alleged HIPAA Violations

Posted by Steve Alder

Comstar, a Massachusetts-based ambulance billing and collections company, has been investigated by the Massachusetts Attorney General and found to have violated the Health Insurance Portability and Accountability Act (HIPAA) and the Massachusetts Data Security Regulations. Comstar will pay a $515,000 penalty to resolve the alleged violations.

Comstar was investigated over a March 2022 cyberattack and data breach. A cyber threat actor breached its network, exfiltrated files, and used ransomware to encrypt data on its network. While the attack was detected on March 26, 2022, the ransomware group gained access to its network on March 19, 2026. The forensic investigation confirmed that protected health information (PHI) had been stolen, including names, Social Security numbers, driver’s license numbers, financial information, and medical assessment information. The PHI of 585,621 individuals was compromised in the ransomware attack, including 326,426 Massachusetts residents and 22,829 Connecticut residents.

The Rowley, Massachusetts-based company faced an investigation by the Department of Health and Human Services Office for Civil Rights (OCR), which determined that Comstar failed to conduct a comprehensive and accurate risk analysis to identify risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) stored within its systems. The alleged HIPAA violation was resolved with a $75,000 financial penalty and a corrective action plan.

An investigation was also launched by the Massachusetts Attorney General to assess whether Comstar had complied with HIPAA, the Massachusetts Consumer Protection Act, the Massachusetts Data Security Regulations, and the Massachusetts Data Security Law. The Connecticut Attorney General partnered with the Massachusetts Attorney General in the investigation. Massachusetts Attorney General Andrea Campbell alleged that Comstar had violated HIPAA and the Massachusetts Data Security Regulations by failing to maintain an adequate Written Information Security Program (WISP), which should have allowed the company to identify and correct vulnerabilities and inadequacies in its data security program.

The consent judgment was filed in Suffolk Superior Court on January 28, 2026, and awaits approval from the court. If approved, Massachusetts will receive $415,000, and Connecticut will received $100,000. In addition to the financial penalty, Comstar is required to implement additional security measures. An effective WISP must be established and maintained, as well as anti-phishing software, multifactor authentication, an intrusion detection/prevention system, and a security incident and event management platform.

Comstar must also implement and maintain a comprehensive and accurate IT asset inventory, appropriate access controls, password policies requiring strong unique passwords for all accounts, encryption for ePHI at rest and in transit, data loss protection software, a penetration testing program, and security software on all laptop and desktop computers. Comstar must also arrange for third-party annual security assessments to be conducted for the next three years. The Massachusetts and Connecticut Attorneys General require reports to be submitted by the third-party assessor on the findings of each annual security risk assessment.

The post Comstar to Pay State AGs $515,000 to Settle Alleged HIPAA Violations appeared first on The HIPAA Journal.

HHS Applies Inflation Increase to Penalties for HIPAA Violations

Posted by Steve Alder

The HHS’ Office for Civil Rights has increased the penalties for HIPAA violations with immediate effect. As of January 28, 2026, the penalties have been increased in line with inflation, as mandated by the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015. Annual adjustments to the penalty amounts are necessary to maintain the deterrent effect of financial penalties.

When the HITECH Act was introduced, the penalties for HIPAA violations were set as follows:

  • Tier 1: Minimum fine of $100 per violation up to $50,000
  • Tier 2: Minimum fine of $1,000 per violation up to $50,000
  • Tier 3: Minimum fine of $10,000 per violation up to $50,000
  • Tier 4: Minimum fine of $50,000 per violation up to $1,500,000

The penalties were capped at $1,500,000 for violations of an identical provision in a calendar year, and all penalties are subject to annual increases in line with inflation. OCR, like all other Executive Departments and Agencies, is required to apply annual increases to its penalty amounts. Each year, the Office of Management and Budget (OMB) issues a Memorandum that includes a multiplier for the annual adjustment.

All Executive Departments and Agencies are required to apply the multiplier by the specified date, which for the 2025 increase was January 17 last year. The HHS is often late in applying the annual adjustment to its penalties. The previous adjustment to the penalty amounts was applied on August 8, 2024. While the 2025 adjustment was due to be applied by January 17, 2025, it was not applied until January 28, 2026, more than a year late. OMB has yet to announce the inflation multiplier for 2026.

The new penalty amounts are effective from the date of publication in the Federal Register. If the violation occurred before November 2, 2015, or a penalty was assessed before September 6, 2016, the pre-adjustment civil penalty amounts in effect before September 6, 2016, will apply.

2025 Penalties for HIPAA Violations

Penalty Tier Minimum Penalty Maximum Penalty Annual Penalty Cap
Did Not Know $145 $73,011 $2,190,294
Reasonable Cause $1,461 $73,011 $2,190,294
Willful Neglect (Corrected within 30 days) $14,602 $73,011 $2,190,294
Willful Neglect (Not corrected) $73,011 $2,190,294 $2,190,294

While these are the official penalty amounts, OCR has not rescinded its 2019 Notice of Enforcement Discretion. In 2019, OCR reviewed the text of the HITECH Act and determined there had been a misinterpretation. OCR issued a Notice of Enforcement Discretion, lowering the maximum penalties and annual caps in three of the four penalty tiers. The effective penalties for HIPAA violations, per the Notice of Enforcement Discretion, are detailed in the table below. OCR can rescind the Notice of Enforcement Discretion at any point, but cannot change the penalties detailed in the table above without further rulemaking.

Penalty Tier Minimum Penalty Maximum Penalty Annual Penalty Cap
Did Not Know $145 $36,505.50 $36,505.50
Reasonable Cause $1,461 $73,011 $146,053
Willful Neglect (Corrected within 30 days) $14,602 $73,011 $365,052
Willful Neglect (Not corrected) $73,011 $2,190,294 $2,190,294

Penalties for Violations of the Part 2 Regulations

Violations of the Part 2 regulations are now enforced by OCR, following the update to the Part 2 regulations to align them more closely with HIPAA. While violations are penalized with the same penalty structure as HIPAA, the penalties are not the same. OCR has taken the starting point to be the penalty amounts stipulated by the HITECH Act of 2009, rather than the current penalty amounts for HIPAA violations, which have increased annually in line with inflation since 2009. As such, violations of the Part 2 regulations are penalized less severely than violations of the HIPAA Rules, despite Part 2-covered data being considered more sensitive. Per the recent publication in the Federal Register, the penalties for violations of the Part 2 regulations are as follows.

Penalty Tier Minimum Penalty Maximum Penalty Annual Penalty Cap
Did Not Know $103 $51,299 $1,538,970
Reasonable Cause $1,026 $1,538,970 $1,538,970
Willful Neglect (Corrected within 30 days) $10,260 $1,538,970 $1,538,970
Willful Neglect (Not corrected) $51,299 $1,538,970 $1,538,970

The post HHS Applies Inflation Increase to Penalties for HIPAA Violations appeared first on The HIPAA Journal.

58% of College Students Would Violate HIPAA and Sell Patient Data for the Right Price

Posted by Steve Alder

A recent study exploring insider cybersecurity threats revealed that a majority of college students would be willing to violate the HIPAA Rules and steal and disclose patient data if they were paid to do so, provided the price was right. The amount of money required ranged from less than $10,000 to more than $10 million. The study was conducted by Lawrence Sanders, professor emeritus, University of Buffalo, Department of Management Science and Systems, and colleagues at the School of Management, and builds on a 2020 study that explored the price of healthcare privacy violations.

The 2020 study, published in JMIR Medical Informatics, was conducted on 523 students (average age of 21) who were about to enter the workforce. The respondents were asked to imagine that they had been employed by a hospital, and were given five scenarios in which they were asked if they would illegally obtain and disclose sensitive health information. 46% of respondents admitted that they would violate HIPAA and patient privacy if the price was right. In one of the scenarios, study participants were asked if they would obtain and disclose a politician’s medical records in exchange for $100,000, if the money was needed to pay for an experimental treatment for their mother that insurance wouldn’t cover. 79% of respondents said they would.

The follow-up study, which focused on cybersecurity insiders, was conducted on 500 undergraduate college students in technology-related programs, who represented future IT workers in the healthcare industry. They were asked to imagine they had been employed by a hospital, were being paid between $30,000 and $100,000, and were under financial stress and had been approached and asked to obtain and leak information about a famous patient at the hospital.

They were informed about HIPAA and how the federal law prohibited unauthorized access and disclosure of protected health information, yet 58% said they would violate HIPAA in exchange for payment. The amount of money required was less than $10,000 in some cases, and whether they would be tempted – and the amount required – varied depending on the employee’s salary leveland the perceived probability of being caught. The higher the employee’s salary, the more money was required to violate HIPAA and steal data. Individuals who had an interest in ethical hacking generally required less money to violate HIPAA, as was the case with individuals with an interest in unethical hacking, if they were assured that they would not be caught.

The study highlights the risk of insider data breaches and the importance of training on the HIPAA Privacy Rule requirements and the consequences of HIPAA violations, making it clear to all workers that if violations are discovered, the consequences of HIPAA violations can be severe.

“As cyberattacks and data breaches continue to rise, particularly in health care and other data-intensive sectors, our findings underscore the need for organizations to address the human and economic dimensions of cybersecurity alongside traditional technical controls,” said Professor Sanders. “Promoting awareness and education can discourage people from engaging in cybercrime by highlighting the negative consequences and risks associated with it. Initiatives that promote economic opportunity, social inclusion, cybersecurity literacy and a more secure digital environment are part of the solution.”

The post 58% of College Students Would Violate HIPAA and Sell Patient Data for the Right Price appeared first on The HIPAA Journal.

OCR Advises HIPAA-Regulated Entities to Take Steps to Harden System Security

Posted by Steve Alder

In the first of its 2026 quarterly cybersecurity newsletters, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) urged HIPAA-regulated entities to take steps to harden system security and make it more difficult for hackers to gain access to their networks and sensitive patient and health plan member data.

The HIPAA Security Rule requires HIPAA-regulated entities to ensure the confidentiality, integrity, and availability of electronic protected health information that the regulated entity creates, receives, maintains, or transmits, which must include identifying risks and vulnerabilities to ePHI and taking timely action to reduce those risks and vulnerabilities to a low and acceptable level. OCR Director Paula Stannard has already stated this year that OCR will be looking closely at HIPAA Security Rule compliance. OCR will continue with its risk analysis enforcement initiative, which will evolve to include risk management to ensure that regulated entities are taking prompt action to reduce risks and vulnerabilities to ePHI identified by their risk analyses.

OCR explained in the newsletter that risks can be reduced by creating a set of standardized security controls and settings for different types of electronic information systems, addressing security weaknesses and vulnerabilities, and customizing electronic information systems to reduce the attack surface.

OCR reminded medical device manufacturers that they have an obligation to ensure that their devices include accurate labelling to allow users to take steps to ensure the security of the devices throughout the product lifecycle, and the importance of following Food and Drug Administration (FDA) guidance on security risk management, security architecture, and security testing. Healthcare providers need to read the labelling on their devices carefully and ensure they understand how the devices should be configured to remain safe and effective through the entire product lifecycle.

OCR highlighted three key areas for hardening system security, all of which are vital for HIPAA Security Rule compliance. Threat actors search for known vulnerabilities that can be exploited to gain a foothold in a network, including vulnerabilities in operating systems, software, and device firmware. Whether the device is brand new or has been in use for some time, patches must be applied to fix known vulnerabilities. It may not be possible to patch vulnerabilities as soon as they are discovered; however, other remedial actions should be taken, as recommended by vendors, to reduce the risk of exploitation until patches are released and can be applied. A comprehensive and accurate IT asset inventory should be maintained, and policies and procedures developed and implemented to ensure a good patching cadence for all operating systems, software, and devices.

All organizations should take steps to reduce the attack surface by removing unnecessary software and devices, including software and devices that are no longer used, software features included in operating systems that serve no purpose for the regulated entity, and generic and service accounts created during the installation process. Accounts created during installation may have default passwords, which must be changed. OCR explained that in many of its investigations, accounts have been found for well-known databases, networking software, and anti-malware solutions that still have default passwords that provide privileged access.

Many cyberattacks occur as a result of misconfigurations. HIPAA-regulated entities must ensure security measures are installed, enabled, and properly configured. “Security measures often found in operating systems, as well as some other software, intersect with some of the technical safeguard standards and implementation specifications of the HIPAA Security Rule, such as, for example, access controls, encryption, audit controls, and authentication,” explained OCR. “A regulated entity’s risk analysis and risk management plan can inform its decisions regarding the implementation of these and other security measures.”

As OCR will be scrutinizing risk management and has advised regulated entities of their responsibilities to harden system security, all regulated entities should ensure they take the advice on board. “Defining, creating, and applying system hardening techniques is not a one-and-done exercise,” explained OCR. “Evaluating the ongoing effectiveness of implemented security measures is important to ensure such measures remain effective over time,” and is essential for HIPAA Security Rule compliance.

The post OCR Advises HIPAA-Regulated Entities to Take Steps to Harden System Security appeared first on The HIPAA Journal.

Is Saying Someone Died a HIPAA Violation?

Posted by Steve Alder

In answer to the question is saying someone died a HIPAA violation, it depends on who is making the statement, who the statement is made to, and what other information is disclosed with the statement. Saying someone died can be a HIPAA violation, but – as this blog discusses – in most cases it is not.

Among other purposes, the HIPAA Privacy Rule protects the privacy of individually identifiable health information relating to the past, present, or future health condition of an individual. Organizations subject to the HIPAA Privacy Rule – and their workforces – must comply with this requirement with respect to a deceased individual “for a period of 50 years following the death of the individual”.

However, not all organizations are subject to the HIPAA Privacy Rule. If, for example, an employee of a private nursing home which does not qualify as a HIPAA “covered entity” revealed somebody had died, it is not a HIPAA violation because the nursing home is not required to protect the privacy of individually identifiable health information (Note: although this might not be a violation of HIPAA, disclosing private information of this nature may violate state privacy laws in some circumstances).

Even when an organization is subject to the HIPAA Privacy Rule, it is not automatically the case that saying someone died is a HIPAA violation. “Covered entities” are permitted to disclose individually identifiable health information to specific people, subject to the disclosure being limited to the minimum necessary to achieve the purpose of the disclosure, and subject to any prior expressed wish of the deceased relating to what information can be disclosed. Healthcare providers should receive HIPAA training on permitted disclosures of this nature.

Who Can Be Told Someone Has Died Under HIPAA?

The HIPAA Privacy Rule stipulates who can be told when someone has died in sections §164.510(b) and §164.512(g). The first section allows covered entities to disclose information about deceased individuals to family members, other relatives, close personal friends, or any other individual identified by the deceased individual while they were alive. All disclosures to people in this group are subject to the verification requirements of §164.514(h).

Persons or entities that were involved in the deceased person´s care or payment for health care can also be told the patient has died under §164.510(b), while §164.512(g) permits covered entities to disclose individually identifiable health information to a coroner or medical examiner to identify the deceased person, determine the cause of death, or other duty as authorized by law. Under this section, covered entities can also tell funeral directors somebody has died.

In all permitted circumstances, the information disclosed must be the minimum necessary to achieve the purpose of the disclosure, and must respect any wishes known by the covered entity prior to the patient’s death. If a patient died (say) due to injuries sustained in a road accident, but also suffered from a lung condition, covered entities are not permitted to disclose the lung condition or any other related treatment or payment for the treatment.

When is Saying Someone Died a HIPAA Violation?

There are not many circumstances when saying someone died is a HIPAA violation and usually violations of this nature only occur when a member of a covered entity’s workforce:

  • Discloses information to somebody not permitted by the HIPAA Privacy Rule,
  • Discloses more than the minimum necessary information about the deceased, or
  • Discloses information it is known the deceased did not want disclosed.

However, it is important to note the HIPAA Privacy Rule generally applies to a deceased person’s health information in the same way as a living person’s health information. In the same way as an individual’s “personal representative” can authorize disclosures of health information not permitted by the HIPAA Privacy Rule on the individual’s behalf when they are alive, a personal representative can do the same when the individual is deceased.

In most states, a deceased individual’s “personal representative” is the next of kin. If the next of kin authorizes a disclosure to somebody not permitted by the HIPAA Privacy Rule, a disclosure of more than the minimum necessary information, or a disclosure of information the deceased did not want disclosed, these events are no longer HIPAA compliance violations. If you are still uncertain about when is saying someone died a HIPAA violation, you should seek professional compliance advice.

The post Is Saying Someone Died a HIPAA Violation? appeared first on The HIPAA Journal.

Final Rule Implementing Proposed HIPAA Privacy Rule Changes Edges Closer

Posted by Steve Alder

In January 2021, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published a proposed update to the HIPAA Privacy Rule – Modifications to the HIPAA Privacy Rule to Support, and Remove Barriers to, Coordinated Care and Individual Engagement.

The purpose of the update is to revise the HIPAA Privacy Rule to strengthen individuals’ rights to access their own health information, improve care coordination, and reduce the compliance burden on healthcare providers and health plans, while continuing to protect the privacy of patients. Under the Biden administration, the proposed update did not appear to be a priority for the HHS, and there have been no signs during the first year of the new Trump administration that a final rule is any closer to being published; however, that changed on January 14, 2026, when OCR Director Paula M. Stannard published a notification of Tribal consultation on the 2021 Rule in the Federal Register.

It has been five years since the proposed update to the HIPAA Privacy Rule was published in the Federal Register, and while there has been little mention of the proposed update over the past half-decade, a final rule appears to be close to publication. Ahead of the final rule, a Tribal consultation meeting will be held virtually via Zoom on February 6, 2026, pursuant to Executive Order 13175 and the HHS Tribal Consultation Policy.

The consultation will cover several different topics, with OCR seeking feedback on the proposed changes to strengthen individuals’ rights to their own health information; the measures proposed to improve care coordination and case management; the enhanced flexibilities for disclosures of patient information in emergencies and threatening circumstances; the support for the use of telecommunications relay services by individuals and workforce members who are deaf, hard of hearing, deaf-blind, or who have a speech disability;  and the expanded permission to use and disclose the PHI of Armed Forces service personnel for national readiness purposes.

While the Tribal consultation is a sign of progress toward a final rule implementing some or all of the proposed changes, there are no indications at present when the final rule will be published. When and if that time comes, HIPAA-regulated entities will be given sufficient time to update their policies, procedures, and practices and provide training to the workforce on the new Privacy Rule requirements before OCR starts enforcement.

In the meantime, OCR has indicated that it is continuing with its enforcement initiatives targeting the HIPAA Right of Access provision of the HIPAA Privacy Rule, parental access to the medical records of minor children, and the risk analysis provision of the HIPAA Security Rule, and an expansion of that program to cover risk management. OCR has also indicated that a new enforcement initiative will soon be launched for the confidentiality of substance use disorder treatment records, pursuant to the recent changes to the Part 2 regulations to align them more closely with HIPAA.

The post Final Rule Implementing Proposed HIPAA Privacy Rule Changes Edges Closer appeared first on The HIPAA Journal.

Texas Attorney General Dismisses Complaint Against HHS Seeking Vacatur of HHS Final Rules

Posted by Steve Alder

Texas Attorney General Ken Paxton has filed a joint stipulation of dismissal without prejudice, seeking to dismiss all claims in a September 2024 complaint against the U.S. Department of Health and Human Services (HHS), former HHS Secretary Xavier Becerra, and former Office for Civil Rights (OCR) Director Melanie Fontes Rainer. On November 24, 2025, the court granted Paxton’s request and dismissed the lawsuit.

The complaint was filed in response to the HIPAA Privacy Rule to Support Reproductive Healthcare Privacy Final Rule issued by the Biden Administration and added to the Federal Register in April 2024. The complaint sought declaratory and injunctive relief against the enforcement of the rule by the HHS, and to vacate another final rule, the HIPAA Privacy Rule of 2000. AG Paxton alleged that the HHS had overstepped its authority when issuing both final rules.

The decision to dismiss the lawsuit was likely influenced by a ruling in a separate lawsuit, filed in Texas last year by Dr. Carmen Purl, who runs Dr. Purl’s Fast Care Walk-in Clinic in Dumas, Texas. The lawsuit, Carmen Purl, et al., v. United States Department of Health and Human Services et al, was filed in the U.S. District Court for the Northern District of Texas, Amarillo Division, also in response to the HIPAA Privacy Rule to Support Reproductive Healthcare Privacy Final Rule.

The reproductive healthcare final rule was issued by the Biden administration as part of its response to the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization in 2022 that overturned Roe v. Wade, which for 50 years had protected the right to abortion prior to the point of fetal viability. With Roe v. Wade overturned, the legality of abortion became a state rather than federal matter, and almost half of U.S. states subsequently passed laws banning or restricting abortions.

The final rule created a new subclass of protected health information, reproductive health information, restricting disclosures of that information to government authorities and law enforcement. The final rule effectively prevented states from obtaining reproductive health information to hold individuals and healthcare providers liable under state law for abortions obtained legally out of state.

Purl alleged that the final rule was arbitrary and capricious and exceeded the HHS’s statutory authority, claiming the final rule impaired the clinic’s ability to participate in public health investigations and comply with state law that requires suspected child abuse to be reported. The lawsuit was successful, with the court dismissing the defendants’ motion to dismiss and vacating most of the modifications to the HIPAA Privacy Rule, which were deemed unlawful for distinguishing between different types of health information to accomplish political ends. The Notice of Privacy Practices requirements for healthcare providers covered by the Part 2 regulations relating to substance use disorder were not vacated. While the lawsuit originated in the state of Texas, the ruling had nationwide effect. The HHS chose not to appeal the decision.

The court’s decision to vacate the Reproductive Healthcare Privacy Final Rule achieved some of the main goals of AG Paxton’s complaint, which likely played a key role in the decision to seek dismissal of the complaint. Since the complaint was dismissed without prejudice, AG Paxton retains the right to refile the same complaint in the future, should he so wish.

The decision to dismiss the complaint is good news for Americans, as the HIPAA Privacy Rule ensures that their personally identifiable health information is protected and can only be used for reasons related to treatment, payment for healthcare, and healthcare operations without their express consent. The HIPAA Privacy Rule also gave patients rights over their health information, allowing them to obtain a copy of their health data, request errors be corrected, ask for restrictions on disclosures, and be provided with an accounting of disclosures of their PHI to learn who has been provided with their health information.

The post Texas Attorney General Dismisses Complaint Against HHS Seeking Vacatur of HHS Final Rules appeared first on The HIPAA Journal.

OCR Requests HIPAA Risk Management Questions for Upcoming Video Presentation

Posted by Steve Alder

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is working on a video presentation to explain the requirements of the risk management process of the HIPAA Security Rule and has requested risk management questions from HIPAA-regulated entities.

The risk analysis is a foundational element of the HIPAA Security Rule that requires risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) to be identified. OCR frequently identifies risk analysis failures in its investigations of data breaches, complaints, and through its HIPAA compliance audit program, including incomplete and nonexistent risk analyses. It is the most commonly identified HIPAA Security Rule violation, and a frequent reason for imposing a financial penalty.

OCR has released guidance to help HIPAA-regulated entities conduct a risk analysis, and a downloadable risk assessment tool for small- and medium-sized regulated entities to guide them through the process. After conducting a risk analysis, all identified risks and vulnerabilities to ePHI must be subjected to a risk management process, detailed in § 164.308(a)(1)(ii)(B) of the administrative safeguards of the HIPAA Security Rule. Risk management is defined as “Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a) [Security Standards: General Rules].”

Two of OCR’s enforcement actions this year included penalties for risk management failures – the $3,000,000 penalty for Solara Medical Supplies and the $1,500,000 Warby Parker, Inc. HIPAA violation penalty. To clear up any potential confusion about the risk management process, OCR is producing a video presentation – HHS’ OCR Presents: The HIPAA Security Rule: Risk Management.

Nick Heesters, OCR’s Senior Advisor for Cybersecurity, will be covering various aspects of the risk management provision of the HIPAA Security Rule in the presentation. Heesters will flesh out what is required in terms of risk management, the use of cybersecurity resources, and he will provide insights into OCR’s investigations into potential risk management HIPAA violations.

Since this will be a pre-recorded video presentation rather than a live webinar, OCR has requested questions from HIPAA-regulated entities about the risk management requirement of the HIPAA Security Rule, a selection of which will be answered during the presentation. If you have any questions related to risk management, this is an ideal opportunity to get the answers you seek. Questions should be submitted to OCR no later than  December 8, 2025, via email at OCRPresents@hhs.gov

The post OCR Requests HIPAA Risk Management Questions for Upcoming Video Presentation appeared first on The HIPAA Journal.