HIPAA Compliance News

July 2025 Healthcare Data Breach Report

Posted by Steve Alder

U.S. healthcare data breaches are down 34.1% month-over-month, and 44.5% fewer individuals had their healthcare data exposed. HIPAA-regulated entities reported 48 data breaches affecting 500 or more individuals in July, 12 fewer than the monthly average over the past 12 months.

Healthcare data breaches in the past 12 months - July 2025

July saw the lowest number of reported healthcare data breaches since September 2024, although the monthly total is likely to increase as there is often a delay between an entity reporting a data breach to the HHS’ Office for Civil Rights (OCR) and it being added to the OCR breach portal. For instance, in August 2024, when we compiled the July 2024 healthcare data breach report, there were 43 data breaches, with the total increasing to 49 over the next few months.

July healthcare data breaches 2020-2025

July’s total is therefore likely to be slightly higher than July 2024, and data breaches are up slightly year-over-year. When we compiled our July 2024 data breach report on July 20, 2024, 435 data breaches affecting 500 or more individuals had been reported to OCR. This year’s total for January 1, 2025, to July 31, 2025, stands at 444 data breaches – a 2% year-over-year increase.

Individuals affected by healthcare data breaches in the past 12 months

There has also been a fall in the number of individuals affected by healthcare data breaches. Across the 48 reported data breaches, 4,397,900 individuals had their healthcare data exposed or impermissibly disclosed – a 44.5% month-over-month reduction, and 1.37 million fewer individuals than the 12-month average of 5,769,912 individuals a month.

Individuals affected by july data breaches 2020 - 2025

While there has been a month-over-month fall in affected individuals based on current data, July’s total will increase further as breached organizations complete their data breach investigations and file reviews. As it stands, the number of affected individuals is down 97.8% from the 200 million+ individuals affected by data breaches last year. It should be noted that the July 2024 total includes the data breach at Change Healthcare, which affected 192.7 million individuals. When we compiled the data for last July’s data breach report, the OCR breach portal only showed 1.2 million affected individuals.

Biggest Healthcare Data Breaches in July 2025

In July, 16 HIPAA-regulated entities (healthcare providers, health plans, and healthcare clearinghouses) and business associates reported data breaches affecting 10,000 or more individuals, all of which were hacking incidents. Two data breaches stand out in terms of the number of affected individuals – the hacking incident at Anne Arundel Dermatology and Radiology Associates of Richmond (RAR), which combined affected more than 3.3 million individuals, 75.6% of the month’s total affected individuals.

It is unclear from the breach reports whether ransomware was used in either of these incidents. Hackers had access to the RAR network for four days in April 2024, but were camped in the Anne Arundel network for three months before the intrusion was detected. Several dermatology practices and medical imaging providers have reported data breaches in recent months, which suggests these types of entities may have been targeted specifically by threat actors.

Three of the top 16 data breaches were reported as ransomware attacks, although ransomware may have been used in more attacks. It is now common for data breach notification letters to omit the cause of the breach, and relatively few mention ransomware, even when ransomware groups have claimed responsibility for an attack.

Name of Regulated Entity State Entity Type Individuals Affected Cause of Breach
Anne Arundel Dermatology MD Healthcare Provider 1,905,000 Hacking incident
Radiology Associates of Richmond, Inc. VA Healthcare Provider 1,419,091 Hacking incident
Zumpano Patricios, P.A. FL Business Associate 279,275 Hacking incident
Cierant Corporation CT Business Associate 232,506 Hacking incident (Cleo VL Trader MFT)
Alera Group, Inc. IL Business Associate 155,567 Hacking incident
McKenzie Memorial Hospital MI Healthcare Provider 58,839 Hacking incident
Wood River Health RI Healthcare Provider 54,926 Hacking incident (Email accounts)
Gastroenterology Consultants of South Texas TX Healthcare Provider 44,579 Ransomware attack (Interlock)
Infinite Services, Inc. NY Healthcare Provider 31,742 Ransomware attack
Self Regional Healthcare SC Healthcare Provider 26,696 Hacking incident at business associate (Nationwide Recovery Service)
Dr. Michael Bilikas and Associates d.b.a. 32 Pearls WA Healthcare Provider 23,517 Ransomware attack
AVALA Holdings LA Healthcare Provider 22,732 Hacking incident
Keys Pathology Associates, PA FL Healthcare Provider 20,000 Hacking incident
Northwest Denture Center, Inc. WA Healthcare Provider 19,419 Hacking incident
Arbor Associates, Inc. MI Business Associate 17,040 Hacking incident
Florida Lung, Asthma & Sleep Specialists (FLASS) FL Healthcare Provider 10,000 Hacking incident

The above list could grow as data breach investigations conclude. The HIPAA Breach Notification Rule requires HIPAA-regulated entities to report a data breach within 60 days of discovery, and when that deadline is reached, data breach investigations may not have concluded. In such cases, many regulated entities submit a breach report with a placeholder figure of 500 or 501 affected individuals as an interim total. In July, five regulated entities reported data breaches using a 500 or 501 figure.

Name of Regulated Entity State Entity Type Breach Size Cause of Breach
Kettering Adventist Healthcare OH Healthcare Provider 501 Hacking/IT Incident (Network server)
Human Development Services of Westchester NY Healthcare Provider 501 Hacking/IT Incident (Email)
Naper Grove Vision Care IL Healthcare Provider 501 Hacking/IT Incident (Network server)
Doctors’ Memorial Hospital FL Healthcare Provider 500 Hacking/IT Incident (Network server)
Northwest Medical Homes, LLC OR Healthcare Provider 500 Hacking/IT Incident (Network server)

Causes of July 2025 Healthcare Data Breaches

Hacking is now the leading cause of data breaches, with July seeing 83.3% of incidents involving hacking or other IT-related issues. On average, 109,620 individuals were affected by these types of data breaches (median: 5,137 individuals).  Hacking/IT incidents accounted for 99.7% of breached healthcare records in July (4,384,794 individuals).

causes of July 2025 healthcare data breaches

There were 8 unauthorized access/disclosure incidents in July, affecting just 13,638 individuals. The average breach size was 1,638 individuals, and the median breach size was 892 individuals. There were no theft incidents, loss incidents, or improper disposal incidents in July, as was the case in June 2025. The most common location of breached protected health information was network servers, followed by email accounts, with just 6 breaches involving protected health information stored in other locations.

Location of breached healthcare data - July 2025

Affected HIPAA Regulated Entities

In July, large data breaches were reported by 37 healthcare providers (3,700,390 affected individuals), 10 business associates (696,727 affected individuals), and one health plan (783 affected individuals). Under HIPAA, it is ultimately the responsibility of each covered entity to ensure the requirements of the HIPAA Breach Notification Rule are met, and some covered entities report breaches that occur at business associates. Many healthcare data breach reports are based on the reporting entity, rather than the entity that suffered the data breach. The charts below show where the breach occurred rather than the entity reporting the data breach.

Data breaches at HIPAA-regulated entities in July 2025

Individuals affected by healthcare data breaches at HIPAA-regulated entities - July 2025

Geographical Distribution of July 2025 Healthcare Data Breaches

HIPAA-regulated entities in 22 U.S. states reported data breaches in July. Florida was the worst-affected state with 9 entities reporting data breaches, although three of those reports were about the same incident, which affected multiple skilled nursing facilities. Texas was the second-worst affected state with 4 data breaches, followed by California, Massachusetts & Michigan, which each had three breaches.

State Individuals Affected
Florida 9
Texas 4
California, Massachusetts & Michigan 3
Georgia, Illinois, New York, Ohio, South Carolina, Virginia & Washington 2
Colorado, Connecticut, Louisiana, Maryland, North Carolina, Pennsylvania, Rhode Island, Tennessee, Wisconsin & West Virginia 1

In terms of affected individuals, Maryland topped the list with 1,905,000 individuals affected by a single data breach, followed by Virginia with 1,421,658 individuals affected by two data breaches. Florida was the third-worst-affected state, with 328,471 individuals affected by its 9 data breaches.

HIPAA Enforcement Activity in July 2025

It has been a busy year of HIPAA enforcement, with 18 settlements and civil monetary penalties announced by OCR up to July 31, 2025. Based on the announcements so far, 2025 looks set to be a record-breaking year for HIPAA penalties.

In October 2024, OCR announced a new enforcement initiative looking at compliance with the risk analysis provision of the HIPAA Security Rule. OCR has targeted this HIPAA provision as it is the most commonly identified HIPAA Security Rule violation, and is a foundational requirement that arguably has the biggest impact on security posture. Two enforcement actions were announced in July, both of which resolved risk analysis failures.

Deer Oaks – The Behavioral Health Solution was investigated over an August 2023 ransomware attack that involved the exfiltration of files containing the protected health information of 171,871 individuals. OCR determined that there had been an impermissible disclosure of patients’ electronic protected health information, and Deer Oaks was unable to provide evidence to show that a thorough and accurate risk analysis had been conducted. The case was settled with a $225,000 penalty and a corrective action plan.

Syracuse ASC (Specialty Surgery Center of Central New York) was investigated over a 2021 ransomware attack that exposed the data of 24,891 current and former patients. Syracuse ASC was unable to provide evidence to show that it had ever conducted a risk analysis to identify risks and vulnerabilities to protected health information. Further, the data breach was identified on March 31, 2021, but OCR and the affected individuals were not notified for six and a half months, four and a half months later than the maximum reporting time under the HIPAA Breach Notification Rule. The case was settled with a $250,000 financial penalty and a corrective action plan. Across the 18 HIPAA penalties in 2025, OCR has collected $7,860,566 to resolve alleged violations of the HIPAA Rules.

The post July 2025 Healthcare Data Breach Report appeared first on The HIPAA Journal.

New York Business Associate Pays $175,000 to Resolve HIPAA Risk Analysis Violation

Posted by Steve Alder

A New York business associate has chosen to settle an alleged violation of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule with the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and will pay a $175,000 financial penalty.

BST & Co. CPAs, LLP, is a public accounting, business advisory, and management consulting firm that has clients in the healthcare industry. The provision of services to HIPAA-covered entities requires access to financial information, which includes information protected under HIPAA. As such, BST & Co. CPAs is classed as a business associate and is required to comply with the HIPAA Rules.

OCR launched an investigation following a report of a breach of protected health information in a ransomware attack. The Maze ransomware group had access to the BST & Co. CPAs network between December 4, 2019, and December 7, 2019, and installed ransomware that was used to encrypt files. The attack was detected on December 7, 2019, and the forensic investigation revealed that initial access was achieved following a response to a phishing email.

The ransomware group had access to parts of the network where protected health information was stored. In total, the protected health information of up to 170,000 individuals was potentially compromised in the attack, including names, dates of birth, medical record numbers, medical billing codes, and insurance descriptions relating to patients of the New York medical group, Community Care Physicians P.C. OCR was notified about the attack and data breach on February 16, 2020.

OCR investigates all data breaches impacting 500 or more individuals to determine if noncompliance with the HIPAA Rules was a factor in the data breach. OCR found no evidence to suggest that a HIPAA-compliant risk analysis had been conducted. The risk analysis is a foundational provision of the HIPAA Security Rule and requires regulated entities to identify risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information. If the risk analysis is not conducted or is incomplete, risks are likely to remain unaddressed and can be exploited to gain access to protected networks and sensitive data.

OCR currently has a risk analysis enforcement initiative focused on this important Security Rule provision, as while it is one of the most important HIPAA provisions, it is also one of the most common areas of noncompliance. Under this specific enforcement initiative, OCR has resolved ten cases with a financial penalty. So far this year, OCR has announced nineteen enforcement actions that included a financial penalty to resolve HIPAA noncompliance. Sixteen of those investigations uncovered risk analysis failures.

“A HIPAA risk analysis is essential for identifying where ePHI is stored and what security measures are needed to protect it,” said OCR Director Paula M. Stannard.  “Completing an accurate and thorough risk analysis that informs a risk management plan is a foundational step to mitigate or prevent cyberattacks and breaches.”

In addition to the financial penalty, BST & Co. CPAs has agreed to adopt a corrective action plan and will be monitored for compliance with that plan for 2 years. The plan includes the requirement to conduct a comprehensive and accurate risk analysis and develop and implement a risk management plan to address all identified risks and vulnerabilities. BST & Co. CPAs must also develop, implement, and maintain policies and procedures to ensure HIPAA compliance, distribute those policies and procedures to the workforce, provide HIPAA training to the workforce, and augment its security awareness training program.

With nineteen HIPAA enforcement actions announced by OCR so far this year, 2025 looks set to become the most active year for OCR in terms of HIPAA enforcement. These penalties send a message to all HIPAA-regulated entities about the importance of HIPAA compliance. Across those nineteen enforcement actions, OCR has collected more than $8 million in financial penalties.

OCR penalties for HIPAA violations 2009-2025

The post New York Business Associate Pays $175,000 to Resolve HIPAA Risk Analysis Violation appeared first on The HIPAA Journal.

Healthplex Settles Alleged Cybersecurity Failures with NYDFS for $2 Million

Posted by Steve Alder

Healthplex, one of the largest providers of dental health insurance programs in New York State, has agreed to a settlement with the New York Department of Financial Services (NYDFS) to resolve alleged violations of the NYDFS Cybersecurity Regulation (23 NYCRR Part 500). Healthplex has agreed to pay a $2 million financial penalty to New York State and take steps to improve its cybersecurity posture.

The Cybersecurity Regulation took effect in 2017 and requires all financial institutions operating in New York State to implement and maintain a robust cybersecurity program. Some of the key requirements include conducting risk assessments, managing risks, and implementing security policies and procedures, an incident response plan, and multifactor authentication.

Healthplex is a licensed provider of dental insurance management services and must therefore comply with the Cybersecurity Regulation. NYDFS launched a compliance investigation after Healthplex reported a cybersecurity event to NYDFS on April 8, 2022. Healthplex discovered the incident on November 24, 2021, when employees received a suspicious email from an account associate’s account and reported it internally to the security team.

The investigation confirmed that an account associate in customer service had responded to a phishing email that was received on November 22 or 23, 2021. The email required Office 365 email login credentials to be provided to receive a fax message. The credentials were captured, and the threat actor accessed the Office 365 account. The account was used to send further phishing emails, and it was found to contain the protected health information of 89,955 individuals.

The NYDFS investigation revealed that there was no data retention policy limiting the information stored in email accounts, in violation of § 500.13 of the Cybersecurity Regulation. The employee had worked for the company for approximately 20 years, and their account contained more than 100,000 emails. Further, multifactor authentication (MFA) had not been set up for its Office 365 email environment, so a compromised password was all that was required to access the account and the sensitive and nonpublic data of tens of thousands of individuals.

Healthplex had implemented MFA for its email environment; however, it failed to ensure that MFA was completely operational when it migrated to Office 365 earlier in the year. With the password obtained in the phishing attack, the entire contents of the account could be accessed via a standard web browser. § 500.12(b) of the Cybersecurity Regulation requires MFA to be implemented for remote access to the covered entity’s information systems and third-party applications.

The required cybersecurity program must ensure that a covered entity is able to report cybersecurity events promptly. The Superintendent must be notified within 72 hours of the discovery of a cybersecurity event. While the event was detected on November 24, 2021, the Superintendent was not notified until April 8, 2022, in violation of § 500.17(a) of the Cybersecurity Regulation.  Healthplex had certified that it was compliant with the Cybersecurity Regulation for 2021, but the investigation confirmed that not to be the case, in violation of § 500.17(b). The lack of policies for secure disposal of data on a periodic basis was in violation of § 500.13 of the Cybersecurity Regulation.

In addition to the financial penalty, Healthplex has agreed to strengthen its cybersecurity controls to ensure compliance with the Cybersecurity Regulation and will hire an independent third-party auditor to conduct a current audit of the MFA controls of its business infrastructure and shared systems that support its core business functions.

This is not the first financial penalty for Healthplex over the phishing incident. In 2023, Healthplex settled an investigation with the New York Attorney General and paid a financial penalty of $400,000 to resolve alleged violations of HIPAA and state data security and consumer protection laws.

The post Healthplex Settles Alleged Cybersecurity Failures with NYDFS for $2 Million appeared first on The HIPAA Journal.

Crisis Pregnancy Centers’ Websites Edited After Scrutiny of HIPAA Claims

Posted by Steve Alder

Back in February, The HIPAA Journal reported on the efforts of the non-profit watchdog organizations the Campaign for Accountability and the Electronic Frontier Foundation (EFF) to prevent crisis pregnancy centers (CPCs) from claiming or implying they are bound by the Health Insurance Portability and Accountability Act (HIPAA) on their websites and intake forms, when they are not HIPAA-regulated entities.

Most CPCs are not licensed healthcare providers and are therefore not bound by the HIPAA Rules, yet CPCs have been identified by the Campaign for Accountability and EFF that imply that they are bound by the HIPAA Rules. Regardless of personal opinions about abortion procedures and reproductive healthcare, implying that personal data is protected by HIPAA when it is not is a deceptive business practice.

Under HIPAA, regulated entities are healthcare providers, health plans, healthcare clearinghouses, and business associates of those entities, and all are required to comply with the HIPAA Rules. One of the requirements of HIPAA is to have a notice of privacy practices, which should be displayed in a prominent position in a physical location and be published on the entity’s website. The notice of privacy practices must clearly state how the entity may use and share health information, individuals’ privacy rights, and how to make a complaint about a potential privacy violation, including the right to file a complaint with the Department of Health and Human Services (HHS).

Investigations by the watchdogs identified CPCs that have a website notice of privacy practices, which indicates compliance with the HIPAA Rules. Some even state in their notice of privacy practices that individuals can file a complaint with the HHS if they feel their privacy has been violated. While anyone can file a complaint with the HHS about a potential HIPAA violation, the HHS will not act on any complaint if it is filed against a non-HIPAA-regulated entity. While a CPC may comply with its published privacy policy, uses and disclosures of personally identifiable health information are not subject to HIPAA protections, and implying or stating that information is protected under HIPAA misleads consumers about privacy protections.

Both the Campaign for Accountability and the Electronic Frontier Foundation filed complaints with several state attorneys general about the alleged deceptive business practices. In 2024, the Campaign for Accountability filed complaints with the state attorneys general in Idaho, Minnesota, Washington, Pennsylvania, and New Jersey, and this year, EFF filed complaints with the state attorneys general in Arkansas, Missouri, Texas, and Florida. The complaints included examples of CPCs in the respective states that were alleged to have engaged in deceptive business practices.

The complaints include numerous statements from CPC websites indicating HIPAA compliance, when those entities are not bound by the HIPAA Rules. For example, some CPCs state “client information is held in strict and absolute confidence, according to HIPAA guidelines,” or that they are subject to oversight by the HHS’ Office for Civil Rights, or that their forms are HIPAA-compliant. In one case, a CPC claimed, “If you receive services through [CPC], federal law, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), also protects your health information.” In each case, the CPC is not a HIPAA-regulated entity.

In a recent update, the EFF confirmed that its efforts are showing some signs of success. While substantive responses have not been received from state attorneys general, other than confirmations that the complaints have been received, some CPCs have responded and have made changes to their messaging. “Of the 21 CPCs we cited as exhibits in our complaints, six have completely removed HIPAA references from their websites, and one has made partial changes (removed one of two misleading claims). Notably, every center we flagged in our letters to Texas AG Ken Paxton and Arkansas AG Tim Griffin has updated its website—a clear sign that clinics in these states are responding to scrutiny,” said EFF legislative activist, Rindala Alajaji. “While 14 remain unchanged, this is a promising development. These centers are clearly paying attention—and changing their messaging.”

The post Crisis Pregnancy Centers’ Websites Edited After Scrutiny of HIPAA Claims appeared first on The HIPAA Journal.

Washington Children’s Hospital Fires 15 Nurses for Alleged HIPAA Violations

Posted by Steve Alder

Fifteen nurses at Providence Sacred Heart Medical Center & Children’s Hospital in Spokane, Washington, have been terminated for alleged HIPAA violations. The nurses allegedly accessed the medical records of a 12-year-old patient who committed suicide at the children’s hospital on April 13, 2024, when there was no direct treatment relationship.

Starting in early 2024, the patient had been repeatedly admitted to the emergency department of the hospital after several self-harm incidents and attempts to end her own life. Overnight on April 13, 2024, the patient left her room alone and died after jumping off a 4th-floor parking garage. The hospital launched an investigation and has implemented new security protocols, including suicide risk screening for all patients.

Providence Sacred Heart Medical Center is being sued by the child’s parents for alleged negligence and medical malpractice, as while she was being monitored round the clock by a sitter assigned to her room and via video surveillance, those measures were removed on April 13, 2024, according to the lawsuit. The Washington Department of Health launched an investigation, which is ongoing, and has identified deficiencies that Providence Sacred Heart is addressing.

Fifteen nurses have now been terminated in connection with the incident, and another has been disciplined. Under HIPAA, medical records can generally only be accessed for reasons related to treatment, payment, or healthcare operations. Accessing medical records out of curiosity, even with no malicious intent, is a HIPAA violation. Staff members found to have violated HIPAA face sanctions, which for unauthorized medical record access is often termination.

According to a statement provided to The Spokesman-Review, the terminations were all for patient privacy violations, in accordance with the hospital’s sanctions policy. “Providence takes violations of our code of conduct and federal privacy laws that govern private health information very seriously,” said Providence Sacred Heart spokesperson, Jen York. “We review employee conduct and take appropriate action, including termination of employment, where warranted. Patient privacy is one of our top priorities.”

The Washington State Nurses Association was contacted by the nurses and has filed grievances over the terminations and disciplinary action. “Any information accessed pertained directly to the nurses’ duties responding to this crisis,” said WSNA director David Keepnews. “We reject Providence Sacred Heart’s claims that privacy was violated by nurses who were doing their jobs to assist in efforts to save the life of a 12-year-old girl in the hospital’s care.”

The nurses and WSNA suggest that the terminations and disciplinary action were an act of retaliation for speaking with the media. The hospital allegedly conducted an audit of access logs after the publication of a story by InvestigateWest about the suicide. The story included quotes from anonymous sources at the hospital. The nurses claim they were asked if they had spoken to the media and were subsequently fired.

The post Washington Children’s Hospital Fires 15 Nurses for Alleged HIPAA Violations appeared first on The HIPAA Journal.

OCR Publishes New and Updated HIPAA Privacy Rule Guidance

Posted by Steve Alder

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has published new and updated guidance on certain aspects of the HIPAA Privacy Rule, adding a new FAQ on permitted disclosures of PHI to value-based care arrangements and updating an FAQ on the types of personal health information that individuals can request access to.

The new FAQ relates to disclosures to value-based care arrangements, such as accountable care organizations, for treatment purposes and follows an announcement by the HHS Centers for Medicare and Medicaid Services (CMS) about the steps being taken to improve interoperability and prevent information blocking. At a White House event on July 30, 2025, the Trump Administration explained that commitments had been obtained from several tech firms to work on interoperability and user-friendly apps that empower patients to improve their outcomes and their healthcare experience through seamless sharing of information between patients and providers.

At the event, the CMS unveiled voluntary criteria for trusted, patient-centered, and practical data exchange that will be accessible for all network types—health information networks and exchanges, Electronic Health Records (EHR), and tech platforms. The plan is to create a digital health care ecosystem that will improve patient outcomes, reduce provider burden, and drive value.

The new FAQ explains that “The Privacy Rule generally allows PHI to be used or disclosed without restriction for treatment purposes. This includes disclosures of PHI to participants in value-based care arrangements, such as accountable care organizations.” The FAQ goes on to explain that, “The definition [of treatment] incorporates the necessary interaction of more than one entity. As a result, a covered entity is permitted to disclose PHI, regardless of to whom the disclosure is made, where the disclosure is made for the treatment activities of a health care provider.”

That means that a patient is not required to give their authorization before a covered healthcare provider can disclose PHI for the treatment activities of another healthcare provider, as long as both providers are treating the individual through a value-based care arrangement, such as an accountable care organization. The same applies to disclosures of PHI by health plans to healthcare providers, provided the disclosure enables the healthcare provider to provide treatment as part of a value-based care arrangement.

Change Guidance on Access to Personal Health Information

Under HIPAA, individuals have certain rights over their health records, including the right to obtain a copy of their records (in one or more designated record sets) and request changes to correct inaccuracies. The FAQ on the types of personal health information that individuals can access has been updated to include consent forms for treatment.

Per the updated FAQ, “Individuals have a right to access a broad array of health information about themselves, whether maintained by a covered entity or by a business associate on the covered entity’s behalf, including medical records, billing and payment records, insurance information, clinical laboratory test reports, X-rays, wellness and disease management program information, consent forms for treatment, and notes (such as clinical case notes or “SOAP” notes (a method of making notes in a patient’s chart)”

The post OCR Publishes New and Updated HIPAA Privacy Rule Guidance appeared first on The HIPAA Journal.

Trump Administration Announces Plan to Improve Patient Data Sharing

Posted by Steve Alder

This week, the Trump Administration announced a new initiative aimed at improving interoperability and the exchange of healthcare data, and has obtained pledges from leading healthcare and technology firms to create a foundation for a next-generation digital health ecosystem, which will improve patient outcomes, reduce provider burden, and drive value.

The initiative was announced during a HHS’ Centers for Medicare & Medicaid Services (CMS) hosted White House event dubbed “Make Health Tech Great Again,” and follows years of bipartisan efforts to improve interoperability and eradicate information blocking to improve the quality of care and eliminate waste. “For decades, bureaucrats and entrenched interests buried health data and blocked patients from taking control of their health,” said HHS Secretary Robert F. Kennedy, Jr. “That ends today. We’re tearing down digital walls, returning power to patients, and rebuilding a health system that serves the people. This is how we begin to Make America Healthy Again.”

At the event, the CMS fleshed out its plan, which includes voluntary criteria for trusted, patient-centered, and practical data exchange for all network types: health information networks, exchanges, electronic health records (EHR), and tech platforms. The effort is focused on two key areas: promoting a voluntary CMS Interoperability Framework that will allow data to be easily shared between patients and providers, and making personalized tools available to give patients the information and resources they need to make better health decisions. Under the initiative, more than 60 companies have pledged to work collaboratively to deliver results by the first quarter of 2026, including tech firms such as Amazon, Anthropic, Apple, Google, and OpenAI.

The initiative has been welcomed by the HHS’ Office for Civil Rights (OCR), which for several years has had a HIPAA enforcement initiative targeting noncompliance with the HIPAA Right of Access. Under that initiative, more than 50 healthcare providers have paid financial penalties for failing to provide patients with timely access to their medical records, as required by the HIPAA Privacy Rule. While patients can receive copies of their health records under HIPAA, there are still barriers to sharing that information with others. Under this initiative, tools will be made available to make data sharing as simple as providing a QR code to a new healthcare provider to transfer medical records.

“[OCR] supports actions that improve the timeliness in providing individuals with access to their electronic protected health information, without sacrificing health information privacy and security,” said OCR Director Paula M. Stannard. “If an individual receives another individual’s electronic protected health information in error, generally, OCR’s primary HIPAA enforcement interests are ensuring that the affected individual and HHS receive timely HIPAA breach notification.”

More than 21 networks have agreed to adopt the voluntary criteria to become CMS-aligned networks, and 30 companies have pledged to provide apps that will use secure digital identity credentials to obtain electronic medical records from CMS alligned networks and facilitate data sharing. Apps will be developed to help in key areas, such as helping patients with diabetes and obesity management, conversational AI assistants will be available for checking symptoms, scheduling appointments, and navigating care options, and “kill the clipboard” tools will be made available to replace intake forms with secure digital check-in methods.

One of the tech companies participating in the effort is CLEAR, a secure identity platform provider. “We are excited that identity services – like CLEAR – are making it possible for patients and providers to use verified, secure identity as part of CMS’s Health Tech Ecosystem,” said Amy Gleason, Acting Administrator for the U.S. DOGE Service and Strategic Advisor to the CMS. “Checking in at the doctor’s office should be the same as boarding a flight. Patients should be able to scan a QR code to instantly and safely share their identity, insurance, and medical history”.

The HHS has confirmed that all of the proposals will be compliant with the HIPAA Privacy and Security Rules. While that is no doubt true, once a healthcare provider has provided a patient with a copy of their records, those records are no longer protected by HIPAA. Patients must ensure they exercise caution when sharing their records with any third party, as uses and disclosures of the shared information may not be subject to HIPAA protections.

“Improving health tech interoperability can eliminate frustrating inefficiencies and empower patients and providers. But health data is some of the most sensitive information people can share — and it must be protected responsibly,” said Andrew Crawford, Senior Counsel, Privacy & Data, and the Center for Democracy & Technology. “The U.S. doesn’t have a general-purpose privacy law, and HIPAA only protects data held by certain people like healthcare providers and insurance companies. Many health and AI apps, including some being promoted by the Trump Administration, are typically not covered by HIPAA. That could put sensitive information in real danger.”

The post Trump Administration Announces Plan to Improve Patient Data Sharing appeared first on The HIPAA Journal.

New York Surgery Center Pays $250K to Settle HIPAA Risk Analysis; Breach Notification Violations

Posted by Steve Alder

Department of Health and Human Services (HHS) Office for Civil Rights (OCR) Director, Paula M. Stannard, has announced OCR’s 18th HIPAA penalty of the year.  Syracuse ASC, which does business as Specialty Surgery Center of Central New York, a single-facility ambulatory surgery center in Liverpool, New York, has agreed to settle alleged violations of the HIPAA Security Rule and HIPAA Breach Notification Rule and will pay a $250,000 financial penalty.

OCR launched an investigation of Syracuse ASC after receiving a data breach notification report on October 14, 2021, about a hacking incident involving unauthorized access to the protected health information of 24,891 current and former patients. A threat actor had access to its network from March 14, 2021, through March 31, 2021, and potentially obtained names, dates of birth, Social Security numbers, financial information, and clinical treatment information. OCR investigation confirmed that this was a ransomware attack involving PYSA ransomware.

OCR’s investigation uncovered no evidence to suggest that Syracuse ASC had ever conducted a risk analysis to identify potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information, as required by the HIPAA Security Rule – 45 C.F.R. §164.308(a)(1)(ii)(A). OCR also determined that Syracuse ASC had failed to issue timely notifications to the HHS Secretary and the affected individuals. The data breach was identified on March 31, 2021, yet notifications were not issued for six and a half months. The HIPAA Breach Notification Rule requires notifications to be issued within 60 days of the discovery of a data breach – 45 C.F.R. § 164.404(b) and 45 C.F.R. § 164.408(b).

Syracuse ASC was given the opportunity to resolve the alleged HIPAA violations informally, and the case was settled. Syracuse ASC has agreed to pay a $250,000 penalty and adopt a corrective action plan to ensure compliance with the HIPAA Rules. The corrective action plan requires Syracuse ASC to conduct an accurate and thorough risk analysis; develop and implement a risk management plan; develop, implement and maintain policies and procedures to ensure compliance with the HIPAA Rules; distribute those policies and procedures to the workforce; and provide the workforce with training on those policies and procedures at least every 12 months.

“Conducting a thorough HIPAA-compliant risk analysis (and developing and implementing risk management measures to address any identified risks and vulnerabilities) is even more necessary as sophisticated cyberattacks increase,” said OCR Director Paula M. Stannard. “HIPAA covered entities and business associates make themselves soft targets for cyberattacks if they fail to implement the HIPAA Security Rule requirements.”

OCR penalties for HIPAA violations - 2017 - 2025

The post New York Surgery Center Pays $250K to Settle HIPAA Risk Analysis; Breach Notification Violations appeared first on The HIPAA Journal.

Medical Imaging Service Provider Settles HIPAA Risk Analysis & Breach Notification Failures

Posted by Steve Alder

The HHS’ Office for Civil Rights has announced its 8th financial penalty under the Trump administration, with the latest financial penalty resolving an alleged violation of the risk analysis provision of the HIPAA Security Rule and a violation of the HIPAA Breach Notification Rule.  The California magnetic resonance imaging (MRI) service provider, Vision Upright MRI LLC, has agreed to settle the alleged violations and will pay a $5,000 financial penalty.

OCR currently has a risk analysis enforcement initiative and has imposed 9 penalties under this initiative. OCR is focusing on risk analysis compliance as the risk analysis is a foundational Security Rule requirement that is essential for risk management and implementing safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI). The failure to conduct a comprehensive and accurate risk analysis is also one of the most commonly identified HIPAA violations.

OCR also appears to be looking closely at Breach Notification Rule compliance. The HIPAA Breach Notification Rule requires notifications to be issued to the HHS Secretary (via the OCR breach portal) and the affected individuals within 60 days of the discovery of a data breach. A media notice is also required for breaches affecting 500 or more individuals. This is the second HIPAA compliance case this year to include a penalty for late breach notifications.

Vision Upright MRI is a small healthcare provider with one location in San Jose, California. OCR notified Vision Upright MRI on December 1, 2020, that OCR had initiated an investigation into compliance with the HIPAA Rules. It is unclear from the settlement agreement how OCR discovered the data breach, as the data breach was not reported to OCR, and the affected individuals were not notified. The breach also does not appear to have been reported to the California Attorney General. The only breach notice on the OCR breach portal from Vision Upright MRI is a March 10, 2025, breach with 23,031 affected individuals.

OCR’s investigation revealed Vision Upright MRI had never conducted a comprehensive and accurate risk analysis to identify risks and vulnerabilities to ePHI, and also failed to notify the affected individuals within 60 days of the discovery of a data breach. OCR said the ePHI of 21,778 individuals, including medical images and associated ePHI, was stored on an unsecured Picture Archiving and Communication System (PACS) server. The server and PACS were used for storing, retrieving, managing, and accessing radiology images, and the server had been accessed by an unauthorized third party. It is unclear whether the access was by a hacker, a security researcher, or another individual.

Under the terms of the settlement, Vision Upright MRI will pay a $5,000 financial penalty and adopt a corrective action plan (CAP) to ensure HIPAA compliance. Compliance with the CAP will be monitored by OCR for 2 years. The CAP requires Vision Upright MRI to conduct a comprehensive and accurate risk analysis to identify risk and vulnerabilities to ePHI; develop, implement, and maintain a risk management plan to reduce any risks and vulnerabilities identified through the risk analysis to a low and acceptable level; develop, implement, and maintain policies and procedures to comply with the HIPAA Rules; distribute the policies and procedures to the workforce and provide HIPAA training; and issue breach notifications to the HHS, the media, and the affected individuals.

“Cybersecurity threats affect large and small covered health care providers,” OCR Acting Director Anthony Archeval said. “Small providers also must conduct accurate and thorough risk analyses to identify potential risks and vulnerabilities to protected health information and secure them.”

OCR HIPAA Fines and settlements 2017 to 2025

The post Medical Imaging Service Provider Settles HIPAA Risk Analysis & Breach Notification Failures appeared first on The HIPAA Journal.