Back in February, The HIPAA Journal reported on the efforts of the non-profit watchdog organizations the Campaign for Accountability and the Electronic Frontier Foundation (EFF) to prevent crisis pregnancy centers (CPCs) from claiming or implying they are bound by the Health Insurance Portability and Accountability Act (HIPAA) on their websites and intake forms, when they are not HIPAA-regulated entities.

Most CPCs are not licensed healthcare providers and are therefore not bound by the HIPAA Rules, yet CPCs have been identified by the Campaign for Accountability and EFF that imply that they are bound by the HIPAA Rules. Regardless of personal opinions about abortion procedures and reproductive healthcare, implying that personal data is protected by HIPAA when it is not is a deceptive business practice.

Under HIPAA, regulated entities are healthcare providers, health plans, healthcare clearinghouses, and business associates of those entities, and all are required to comply with the HIPAA Rules. One of the requirements of HIPAA is to have a notice of privacy practices, which should be displayed in a prominent position in a physical location and be published on the entity’s website. The notice of privacy practices must clearly state how the entity may use and share health information, individuals’ privacy rights, and how to make a complaint about a potential privacy violation, including the right to file a complaint with the Department of Health and Human Services (HHS).

Investigations by the watchdogs identified CPCs that have a website notice of privacy practices, which indicates compliance with the HIPAA Rules. Some even state in their notice of privacy practices that individuals can file a complaint with the HHS if they feel their privacy has been violated. While anyone can file a complaint with the HHS about a potential HIPAA violation, the HHS will not act on any complaint if it is filed against a non-HIPAA-regulated entity. While a CPC may comply with its published privacy policy, uses and disclosures of personally identifiable health information are not subject to HIPAA protections, and implying or stating that information is protected under HIPAA misleads consumers about privacy protections.

Both the Campaign for Accountability and the Electronic Frontier Foundation filed complaints with several state attorneys general about the alleged deceptive business practices. In 2024, the Campaign for Accountability filed complaints with the state attorneys general in Idaho, Minnesota, Washington, Pennsylvania, and New Jersey, and this year, EFF filed complaints with the state attorneys general in Arkansas, Missouri, Texas, and Florida. The complaints included examples of CPCs in the respective states that were alleged to have engaged in deceptive business practices.

The complaints include numerous statements from CPC websites indicating HIPAA compliance, when those entities are not bound by the HIPAA Rules. For example, some CPCs state “client information is held in strict and absolute confidence, according to HIPAA guidelines,” or that they are subject to oversight by the HHS’ Office for Civil Rights, or that their forms are HIPAA-compliant. In one case, a CPC claimed, “If you receive services through [CPC], federal law, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), also protects your health information.” In each case, the CPC is not a HIPAA-regulated entity.

In a recent update, the EFF confirmed that its efforts are showing some signs of success. While substantive responses have not been received from state attorneys general, other than confirmations that the complaints have been received, some CPCs have responded and have made changes to their messaging. “Of the 21 CPCs we cited as exhibits in our complaints, six have completely removed HIPAA references from their websites, and one has made partial changes (removed one of two misleading claims). Notably, every center we flagged in our letters to Texas AG Ken Paxton and Arkansas AG Tim Griffin has updated its website—a clear sign that clinics in these states are responding to scrutiny,” said EFF legislative activist, Rindala Alajaji. “While 14 remain unchanged, this is a promising development. These centers are clearly paying attention—and changing their messaging.”

The post Crisis Pregnancy Centers’ Websites Edited After Scrutiny of HIPAA Claims appeared first on The HIPAA Journal.

Fifteen nurses at Providence Sacred Heart Medical Center & Children’s Hospital in Spokane, Washington, have been terminated for alleged HIPAA violations. The nurses allegedly accessed the medical records of a 12-year-old patient who committed suicide at the children’s hospital on April 13, 2024, when there was no direct treatment relationship.

Starting in early 2024, the patient had been repeatedly admitted to the emergency department of the hospital after several self-harm incidents and attempts to end her own life. Overnight on April 13, 2024, the patient left her room alone and died after jumping off a 4^th-floor parking garage. The hospital launched an investigation and has implemented new security protocols, including suicide risk screening for all patients.

Providence Sacred Heart Medical Center is being sued by the child’s parents for alleged negligence and medical malpractice, as while she was being monitored round the clock by a sitter assigned to her room and via video surveillance, those measures were removed on April 13, 2024, according to the lawsuit. The Washington Department of Health launched an investigation, which is ongoing, and has identified deficiencies that Providence Sacred Heart is addressing.

Fifteen nurses have now been terminated in connection with the incident, and another has been disciplined. Under HIPAA, medical records can generally only be accessed for reasons related to treatment, payment, or healthcare operations. Accessing medical records out of curiosity, even with no malicious intent, is a HIPAA violation. Staff members found to have violated HIPAA face sanctions, which for unauthorized medical record access is often termination.

According to a statement provided to The Spokesman-Review, the terminations were all for patient privacy violations, in accordance with the hospital’s sanctions policy. “Providence takes violations of our code of conduct and federal privacy laws that govern private health information very seriously,” said Providence Sacred Heart spokesperson, Jen York. “We review employee conduct and take appropriate action, including termination of employment, where warranted. Patient privacy is one of our top priorities.”

The Washington State Nurses Association was contacted by the nurses and has filed grievances over the terminations and disciplinary action. “Any information accessed pertained directly to the nurses’ duties responding to this crisis,” said WSNA director David Keepnews. “We reject Providence Sacred Heart’s claims that privacy was violated by nurses who were doing their jobs to assist in efforts to save the life of a 12-year-old girl in the hospital’s care.”

The nurses and WSNA suggest that the terminations and disciplinary action were an act of retaliation for speaking with the media. The hospital allegedly conducted an audit of access logs after the publication of a story by InvestigateWest about the suicide. The story included quotes from anonymous sources at the hospital. The nurses claim they were asked if they had spoken to the media and were subsequently fired.

The post Washington Children’s Hospital Fires 15 Nurses for Alleged HIPAA Violations appeared first on The HIPAA Journal.

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has published new and updated guidance on certain aspects of the HIPAA Privacy Rule, adding a new FAQ on permitted disclosures of PHI to value-based care arrangements and updating an FAQ on the types of personal health information that individuals can request access to.

The new FAQ relates to disclosures to value-based care arrangements, such as accountable care organizations, for treatment purposes and follows an announcement by the HHS Centers for Medicare and Medicaid Services (CMS) about the steps being taken to improve interoperability and prevent information blocking. At a White House event on July 30, 2025, the Trump Administration explained that commitments had been obtained from several tech firms to work on interoperability and user-friendly apps that empower patients to improve their outcomes and their healthcare experience through seamless sharing of information between patients and providers.

At the event, the CMS unveiled voluntary criteria for trusted, patient-centered, and practical data exchange that will be accessible for all network types—health information networks and exchanges, Electronic Health Records (EHR), and tech platforms. The plan is to create a digital health care ecosystem that will improve patient outcomes, reduce provider burden, and drive value.

The new FAQ explains that “The Privacy Rule generally allows PHI to be used or disclosed without restriction for treatment purposes. This includes disclosures of PHI to participants in value-based care arrangements, such as accountable care organizations.” The FAQ goes on to explain that, “The definition [of treatment] incorporates the necessary interaction of more than one entity. As a result, a covered entity is permitted to disclose PHI, regardless of to whom the disclosure is made, where the disclosure is made for the treatment activities of a health care provider.”

That means that a patient is not required to give their authorization before a covered healthcare provider can disclose PHI for the treatment activities of another healthcare provider, as long as both providers are treating the individual through a value-based care arrangement, such as an accountable care organization. The same applies to disclosures of PHI by health plans to healthcare providers, provided the disclosure enables the healthcare provider to provide treatment as part of a value-based care arrangement.

Change Guidance on Access to Personal Health Information

Under HIPAA, individuals have certain rights over their health records, including the right to obtain a copy of their records (in one or more designated record sets) and request changes to correct inaccuracies. The FAQ on the types of personal health information that individuals can access has been updated to include consent forms for treatment.

Per the updated FAQ, “Individuals have a right to access a broad array of health information about themselves, whether maintained by a covered entity or by a business associate on the covered entity’s behalf, including medical records, billing and payment records, insurance information, clinical laboratory test reports, X-rays, wellness and disease management program information, consent forms for treatment, and notes (such as clinical case notes or “SOAP” notes (a method of making notes in a patient’s chart)”

The post OCR Publishes New and Updated HIPAA Privacy Rule Guidance appeared first on The HIPAA Journal.

The HHS’ Office for Civil Rights has announced its 8th financial penalty under the Trump administration, with the latest financial penalty resolving an alleged violation of the risk analysis provision of the HIPAA Security Rule and a violation of the HIPAA Breach Notification Rule.  The California magnetic resonance imaging (MRI) service provider, Vision Upright MRI LLC, has agreed to settle the alleged violations and will pay a $5,000 financial penalty.

OCR currently has a risk analysis enforcement initiative and has imposed 9 penalties under this initiative. OCR is focusing on risk analysis compliance as the risk analysis is a foundational Security Rule requirement that is essential for risk management and implementing safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI). The failure to conduct a comprehensive and accurate risk analysis is also one of the most commonly identified HIPAA violations.

OCR also appears to be looking closely at Breach Notification Rule compliance. The HIPAA Breach Notification Rule requires notifications to be issued to the HHS Secretary (via the OCR breach portal) and the affected individuals within 60 days of the discovery of a data breach. A media notice is also required for breaches affecting 500 or more individuals. This is the second HIPAA compliance case this year to include a penalty for late breach notifications.

Vision Upright MRI is a small healthcare provider with one location in San Jose, California. OCR notified Vision Upright MRI on December 1, 2020, that OCR had initiated an investigation into compliance with the HIPAA Rules. It is unclear from the settlement agreement how OCR discovered the data breach, as the data breach was not reported to OCR, and the affected individuals were not notified. The breach also does not appear to have been reported to the California Attorney General. The only breach notice on the OCR breach portal from Vision Upright MRI is a March 10, 2025, breach with 23,031 affected individuals.

OCR’s investigation revealed Vision Upright MRI had never conducted a comprehensive and accurate risk analysis to identify risks and vulnerabilities to ePHI, and also failed to notify the affected individuals within 60 days of the discovery of a data breach. OCR said the ePHI of 21,778 individuals, including medical images and associated ePHI, was stored on an unsecured Picture Archiving and Communication System (PACS) server. The server and PACS were used for storing, retrieving, managing, and accessing radiology images, and the server had been accessed by an unauthorized third party. It is unclear whether the access was by a hacker, a security researcher, or another individual.

Under the terms of the settlement, Vision Upright MRI will pay a $5,000 financial penalty and adopt a corrective action plan (CAP) to ensure HIPAA compliance. Compliance with the CAP will be monitored by OCR for 2 years. The CAP requires Vision Upright MRI to conduct a comprehensive and accurate risk analysis to identify risk and vulnerabilities to ePHI; develop, implement, and maintain a risk management plan to reduce any risks and vulnerabilities identified through the risk analysis to a low and acceptable level; develop, implement, and maintain policies and procedures to comply with the HIPAA Rules; distribute the policies and procedures to the workforce and provide HIPAA training; and issue breach notifications to the HHS, the media, and the affected individuals.

“Cybersecurity threats affect large and small covered health care providers,” OCR Acting Director Anthony Archeval said. “Small providers also must conduct accurate and thorough risk analyses to identify potential risks and vulnerabilities to protected health information and secure them.”

The post Medical Imaging Service Provider Settles HIPAA Risk Analysis & Breach Notification Failures appeared first on The HIPAA Journal.

Research conducted by the cybersecurity company Netskope indicates healthcare workers routinely expose sensitive data such as protected health information (PHI) by using generative AI tools such as ChatGPT and Google Gemini and by uploading data to personal cloud storage services such as Google Drive and OneDrive.

The healthcare industry has fully embraced AI tools, with almost all organizations using AI tools to some degree to improve efficiency. According to data collected by Netskope Threat Labs, 88% of healthcare organizations have integrated cloud-based genAI apps into their operations, 98% use apps that incorporate genAI features, 96% use apps that leverage user data for training, and 43% are experimenting with running genAI infrastructure locally.

As more healthcare organizations incorporate AI tools into their operations and make them available to their workforces, fewer healthcare workers are using personal AI accounts for work purposes; however, 71% of healthcare workers still use personal AI accounts, down from 87% the previous year. If genAI tools are not HIPAA-compliant and the developers will not sign business associate agreements, using those tools with PHI violates HIPAA and puts organizations at risk of regulatory penalties. Further, uploading patient data to genAI tools and cloud storage services without robust safeguards in place can erode patient trust.

“Beyond financial consequences, breaches erode patient trust and damage organizational credibility with vendors and partners,” Ray Canzanese of Netskope said. It is clear that there needs to be greater oversight of the use of AI tools, and a pressing need for authorized tools to be provided to reduce “shadow AI” risks.

According to Netskope, the mishandling of HIPAA-regulated data is the leading security concern in the healthcare sector, and PHI is the most common type of sensitive data uploaded to personal cloud apps, genAI apps, and other unapproved locations. Netskope reports that 81% of all data policy violations were for regulated healthcare data, with the remainder including source code, secrets, and intellectual property.

“Healthcare organizations must balance the benefits of genAI with the implementation of strict data governance policies to mitigate associated risks,” warns Netskope. Netskope recommends the adoption of enterprise-grade genAI applications with robust security features to ensure that sensitive and regulated data is properly protected, along with data loss prevention (DLP) tools for monitoring and controlling access to genAI tools to prevent privacy violations. Netskope says 54% of healthcare organizations now have DLP policies, up from 31% the previous year. The most commonly blocked genAI apps in healthcare are DeepAI, Tactiq, and Scite, with 44%, 40%, and 36% of healthcare organizations blocking these apps with their DLP tools due to privacy risks and there being more secure alternatives.

While genAI tools certainly have a place in healthcare and can help improve efficiency, there are significant security challenges. Netskope warns that healthcare organizations must remain vigilant, implement comprehensive security measures, and enforce data protection policies, as well as incorporate the risks into their cybersecurity awareness training.

The report also warns of the risk of malware infections via cloud apps. Threat actors are increasingly using cloud apps to deploy information stealers and ransomware, with GitHub, OneDrive, Amazon S3, and Google Drive being the most common. Rather than trying to breach networks themselves, threat actors use social engineering to trick healthcare employees into compromising their own systems with first-stage malware payloads, which give threat actors initial access to networks. Netskope recommends inspecting all HTTP and HTTPS traffic for phishing and malware, blocking apps that serve no business purpose or pose a disproportionate risk to the organization, and using remote browser isolation technology when categories of websites need to be visited that pose a higher risk, such as newly registered domains.

The post Healthcare Workers Violating Patient Privacy by Uploading Sensitive Data to GenAI and Cloud Accounts appeared first on The HIPAA Journal.

The HHS’ Office for Civil Rights (OCR) has announced another settlement to resolve an alleged violation of the risk analysis implementation specification of the HIPAA Security Rule. Comprehensive Neurology PC, a small neurology practice in New York City that specializes in diagnosing and treating neurological conditions such as dementia, Parkinson’s disease, epilepsy, and memory loss, has agreed to settle the alleged violation and pay a $25,000 financial penalty.

The alleged HIPAA violation was identified by OCR during an investigation of a 2020 data breach that involved unauthorized access to the electronic protected health information (ePHI) of 6,800 individuals. OCR was informed of the data breach on December 17, 2020. Comprehensive Neurology discovered it had been attacked with ransomware on December 14, 2020, when staff were prevented from accessing patients’ medical records. The forensic investigation confirmed that the ePHI of 6,800 individuals had been exposed and potentially stolen in the attack, including names, clinical information, health insurance information, demographic information, Social Security numbers, driver’s license numbers, and state identification numbers.

OCR’s investigation revealed that Comprehensive Neurology had failed to conduct a comprehensive and accurate risk analysis to identify risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI, as required by 45 C.F.R. §164.308(a)(1)(ii)(A) of the HIPAA Security Rule. Comprehensive Neurology was given an opportunity to settle the alleged HIPAA violation informally and agreed to pay a financial penalty and adopt a corrective action plan. OCR will monitor Comprehensive Neurology for compliance with the corrective action plan for two years.

The corrective action plan requires Comprehensive Neurology to:

• Conduct a comprehensive, accurate, and organization-wide risk analysis
• Develop and implement a risk management plan to reduce the identified risks and vulnerabilities to a low and acceptable level
• Develop, implement, and maintain policies and procedures to ensure compliance with the HIPAA Rules
• Distribute those policies and procedures to members of the workforce
• Provide training to the workforce on those policies and procedures
• Submit an implementation report to OCR and annual reports confirming compliance with the corrective action plan
• Ensure that any data breaches or compliance violations are reported to OCR promptly

It has been a busy month of HIPAA enforcement for OCR. So far this month, OCR has announced four settlements with HIPAA-regulated entities to resolve alleged violations of the HIPAA Rules, and seven penalties this year under the Trump administration. All seven of the enforcement actions include penalties for risk analysis failures.  The settlement with Comprehensive Neurology was OCR’s 12^th investigation of a ransomware attack to result in a financial penalty for HIPAA compliance failures, and the 8^th enforcement action under OCR’s risk analysis enforcement initiative. OCR explained that by focusing on risk analyses, the most commonly identified HIPAA violation, OCR can increase the number of closed investigations and highlight the importance of compliance with this foundational HIPAA Security Rule requirement.

“Effective cybersecurity requires proactively implementing the HIPAA Security Rule requirements before a breach or cybersecurity incident occurs,” said OCR Acting Director Anthony Archeval. “OCR urges health care entities to prioritize compliance with the HIPAA Security Rule risk analysis requirement.”

The post New York Neurology Practice Pays $25,000 to Resolve Alleged Risk Analysis Violation appeared first on The HIPAA Journal.

Last week, the Department of Health and Human Services (HHS) and the National Institute for Standards and Technology (NIST) hosted the Safeguarding Health Information: Building Assurance Through HIPAA Security 2024 conference after a 5-year absence. Attendees learned about the current cybersecurity landscape in healthcare, how compliance with the HIPAA Security Rule can help HIPAA-regulated entities combat cyber threats, and were provided with practical tips and techniques for implementing the requirements of the HIPAA Security Rule.

On October 24, 2024, in a keynote speech, OCR Director Melanie Fontes Rainer provided an update on OCR’s main priorities. One of the key priorities is an update to the HIPAA Security Rule to add new cybersecurity requirements. OCR has been working on an update to the HIPAA Security Rule this year and has now finalized its proposed rule. The proposed rule is now being reviewed by the Office of Management and Budget (OMB) and Fontes Rainer anticipates publishing a Notice of Proposed Rulemaking (NPRM) before the end of the year.

Fontes Rainer did not share any of the cybersecurity measures that have been added, only confirming that since this will be the first time in two decades that the HIPAA Security Rule has been updated, there will be “substantive updates.” The process of rulemaking has been informed by thousands of investigations of healthcare data breaches and complaints, which has allowed OCR to develop a more robust HIPAA Security Rule to make sure the healthcare sector is much more secure. When the NPRM is published, likely to be in December 2024, healthcare industry stakeholders will be able to submit their feedback and have their say. Fontes Rainer said the department is looking forward to the opportunity to engage with the healthcare community through the public commenting process.

Fontes Rainer explained that OCR has continued to investigate complaints and data breaches and has imposed several financial penalties this year to resolve noncompliance issues. This year, as well as its enforcement actions over the past 15 years, have uncovered the same noncompliance issues time and time again. One of the most commonly identified issues, and one of the main areas of noncompliance to result in financial penalties, is noncompliance with the risk analysis provision of the HIPAA Security Rule. In many investigations, OCR has discovered the failure to conduct a comprehensive, organization-wide risk analysis to identify risks and vulnerabilities to ePHI, incomplete risk analyses, and compliance with that requirement but a failure to act on the information gathered during the risk analysis and manage and reduce risks to a low and acceptable level. The importance of compliance with this issue is why OCR has made the risk analysis requirement an enforcement initiative.

OCR has received many complaints in recent years about the failure to provide individuals with a copy of their requested records, as required by the HIPAA Right of Access. It is one of the most common reasons for individuals filing complaints with OCR. In response, OCR launched a HIPAA Right of Access enforcement initiative in 2019 and in the years since has imposed 50 financial penalties for the failure to provide timely access to medical records.

Investigations of complaints and data breaches will remain a key priority for the department but financial penalties are relatively rare. The majority of investigations where noncompliance is discovered are resolved through technical assistance, highlighting how OCR works with HIPAA-regulated entities to help them comply with the regulations. Fontes Rainer said the reason compliance issues are flagged is because compliance is important and must be addressed.

The other main focus of OCR is to engage with the healthcare sector on cybersecurity matters but Fontes Rainer said the department is fairly small, has an extensive workload, and limited budget, so OCR’s efforts to engage with the community need to be highly focused and strategic. She said it is vital that OCR and the healthcare community work together to drive forward compliance and improve cybersecurity. OCR has increased engagement through webinars, YouTube videos, and newsletters in an effort to reach more members of the community and combat the growing threat of cyberattacks and data breaches – which affected more than 160 million individuals last year.

The post OCR Explains Department’s Key Priorities at HHS-NIST Conference appeared first on The HIPAA Journal.