OCR Requests HIPAA Risk Management Questions for Upcoming Video Presentation

Posted by Steve Alder

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is working on a video presentation to explain the requirements of the risk management process of the HIPAA Security Rule and has requested risk management questions from HIPAA-regulated entities.

The risk analysis is a foundational element of the HIPAA Security Rule that requires risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) to be identified. OCR frequently identifies risk analysis failures in its investigations of data breaches, complaints, and through its HIPAA compliance audit program, including incomplete and nonexistent risk analyses. It is the most commonly identified HIPAA Security Rule violation, and a frequent reason for imposing a financial penalty.

OCR has released guidance to help HIPAA-regulated entities conduct a risk analysis, and a downloadable risk assessment tool for small- and medium-sized regulated entities to guide them through the process. After conducting a risk analysis, all identified risks and vulnerabilities to ePHI must be subjected to a risk management process, detailed in § 164.308(a)(1)(ii)(B) of the administrative safeguards of the HIPAA Security Rule. Risk management is defined as “Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a) [Security Standards: General Rules].”

Two of OCR’s enforcement actions this year included penalties for risk management failures – the $3,000,000 penalty for Solara Medical Supplies and the $1,500,000 Warby Parker, Inc. HIPAA violation penalty. To clear up any potential confusion about the risk management process, OCR is producing a video presentation – HHS’ OCR Presents: The HIPAA Security Rule: Risk Management.

Nick Heesters, OCR’s Senior Advisor for Cybersecurity, will be covering various aspects of the risk management provision of the HIPAA Security Rule in the presentation. Heesters will flesh out what is required in terms of risk management, the use of cybersecurity resources, and he will provide insights into OCR’s investigations into potential risk management HIPAA violations.

Since this will be a pre-recorded video presentation rather than a live webinar, OCR has requested questions from HIPAA-regulated entities about the risk management requirement of the HIPAA Security Rule, a selection of which will be answered during the presentation. If you have any questions related to risk management, this is an ideal opportunity to get the answers you seek. Questions should be submitted to OCR no later than  December 8, 2025, via email at OCRPresents@hhs.gov

The post OCR Requests HIPAA Risk Management Questions for Upcoming Video Presentation appeared first on The HIPAA Journal.

Are You Really Compliant? The Stricter Medical Privacy Regulations in Texas

Posted by PJ Murray

In addition to HIPAA and the Texas Medical Records Privacy Act/HB300, several other laws apply to the privacy and security of medical records in Texas. Laws such as the Texas Identity Theft Enforcement and Protection Act, the Texas Data Privacy and Security Act, the Texas Responsible AI Governance Act, SB1188 and the Texas Medical Practice Act create a layered system of protections that often go beyond HIPAA’s minimum requirements.

Before HIPAA, medical confidentiality in Texas was governed mainly by the Texas Health and Safety Code, which already limited how health information could be used and disclosed, and gave patients rights to see their records. HIPAA then introduced federal privacy and security rules, but only for a narrower group of “covered entities.” To close that gap, Texas passed the Texas Medical Records Privacy Act in 2001, extending HIPAA-style protections to more organizations that handle Texans’ health information. HB300, passed in 2011, strengthened that Act by tightening rules for electronic disclosures, shortening deadlines for responding to patient access requests, and expanding breach notification requirements. HB300 is important, but it operates alongside a broader set of Texas privacy and security laws.

The Texas Identity Theft Enforcement and Protection Act (TITEPA) is not limited to healthcare, but it heavily affects healthcare organizations because it applies to any business that handles personal identifying information about Texas residents. Its definition of “sensitive personal information” is broader than HIPAA’s definition of PHI, so some data that is not PHI still has to be protected as if it were. Organizations must secure this information, dispose of it safely, and notify individuals (and sometimes the Attorney General) if computerized sensitive personal information is acquired by an unauthorized person. Because these requirements sit next to HIPAA’s breach rules, many healthcare organizations in Texas treat all patient-related information like PHI and apply HIPAA-level safeguards across the board.

The Texas Data Privacy and Security Act (TDPSA) is aimed at consumer data generally, but it also touches healthcare. Covered entities and business associates are exempt for PHI but not for other personally identifying data they collect, such as marketing lists, website tracking data, appointment booking details, or some HR data. For this non-PHI data, organizations must limit collection to what is necessary, obtain informed consent for certain uses (such as targeted marketing), and honor rights to access, correct, or request deletion where those rights apply. Deletion rights do not override medical record retention requirements, so PHI and medical records still must be kept according to Texas rules.

The Texas Responsible AI Governance Act and SB1188 add AI- and EHR-specific obligations. The AI Governance Act applies broadly to developers and users of AI, including healthcare organizations that use AI in clinical or administrative workflows. Patients must be told when AI is used in diagnosis or clinical decision support (outside emergencies), and patient authorization is required if PHI is sent to AI systems for purposes beyond treatment, payment, healthcare operations, or required-by-law disclosures. 

SB1188 goes further by requiring AI-generated diagnostic outputs to be reviewed under standards set by the Texas Medical Board and documented in the medical record, and by imposing specific security and functionality requirements on EHRs. It restricts storing certain data types in EHRs, such as credit scores or voter-registration status, and sets rules around parental access to minors’ electronic records – with exceptions for sensitive services such as reproductive, substance use, or mental health care.

The Texas Medical Practice Act and related code provisions add professional and confidentiality duties for licensed healthcare professionals on top of all this. In many cases, state law requires written consent for disclosures that go beyond treatment, payment, healthcare operations, or disclosures explicitly required by law, and adds extra protections for especially sensitive categories such as mental health, substance use, HIV testing, and genetic information. These provisions are updated regularly and can override or refine how other laws apply in specific scenarios. Because all of these laws overlap, organizations that handle medical information about Texas residents generally follow a “most protective law wins” approach. HIPAA and the Texas Medical Records Privacy Act/HB300 are central pieces of Texas medical privacy law, but real-world practice is also shaped by TITEPA, the TDPSA, the Responsible AI Governance Act, SB1188, and the Medical Practice Act. For workforce members, the safest course is to follow organizational policies, complete required training, and ask their privacy or compliance teams when they are unsure.



The post Are You Really Compliant? The Stricter Medical Privacy Regulations in Texas appeared first on The HIPAA Journal.

Kaiser Foundation Health Plan Settles Unwanted Text Message Lawsuit

Posted by Steve Alder

The risk of sending unwanted marketing communications to consumers has been highlighted by a $10.5 million settlement with Kaiser Foundation Health Plan, which is alleged to have continued sending marketing text messages to individuals who opted out of receiving marketing communications.

Legal action was taken against Kaiser Foundation Health Plan, doing business as Kaiser Permanente, by Jonathan Fried, who alleged that the defendant violated federal and Florida state law by continuing to send marketing text messages after he had submitted an opt-out request to stop receiving the communications.

The lawsuit, Jonathan Fried v. Kaiser Foundation Health Plan, Inc., d/b/a Kaiser Permanente, was filed individually and on behalf of similarly situated individuals over the alleged sending of unwanted text messages marketing Kaiser Permanente’s products and services. According to the lawsuit, the defendant sent or failed to stop further messages from being sent after consumers replied with the word STOP or performed a similar opt-out instruction. According to the lawsuit, the failure to honor the opt-out requests violated the federal Telephone Consumer Protection Act (TCPA) and the Florida Telephone Solicitation Act (FTSA). The violations are alleged to have occurred between January 21, 2021, and August 20, 2025.

Kaiser maintains there was no wrongdoing and denies and continues to deny the allegations in the lawsuit; however, a settlement was agreed to bring the litigation to an end to avoid the cost of a trial and related appeals, and the risks and uncertainties for both sides from continuing with the litigation. Kaiser has agreed to pay up to $10,500,000 to settle the litigation. The settlement fund will cover attorneys’ fees and expenses, a service award for the class representative, settlement administration costs, and cash payments for the class members.

There are two settlement classes, one applying to all individuals in the United States who were sent more than one text message regarding the defendant’s goods or services in any 12-month period between January 21, 2021, and August 20, 2025, after replying to a message with STOP or performing a similar opt-out instruction. The Florida FTSA class includes all persons who resided in Florida and received more than one text message between the same dates about the defendant’s goods or services at least 15 days after opting not to receive the communications.

Class members who submit a valid claim will receive a payment of up to $75 per qualifying text message they received. If the number of claims exceeds the funds in the settlement, then claims will be paid pro rata. Should any funds remain in the settlement fund after all claims have been paid, then they will be refunded to Kaiser.

The settlement has received preliminary approval from the court, and claims must be submitted by February 12, 2026. The deadline for opting out and exclusion from the settlement is December 29, 2025. The final approval hearing has been scheduled for January 28, 2026.

The post Kaiser Foundation Health Plan Settles Unwanted Text Message Lawsuit appeared first on The HIPAA Journal.

$3.5 Million Mindpath Health Data Breach Settlement Gets First Nod

Posted by Steve Alder

A California Superior Court judge has given preliminary approval to a settlement to resolve litigation against Community Psychiatry Management, LLC, operating as Mindpath Health, to resolve a class action lawsuit stemming from two email data breaches in 2022 that affected 193,947 individuals.

Mindpath Health is a California-based mental health service provider serving patients in seven U.S. states. In March 2022 and again in June 2022, unauthorized individuals gained access to Microsoft Office 365 business accounts that contained the protected health information of Mindpath Health patients and other individuals. The breach was discovered in June during a routine audit of its email environment, which identified suspicious account activity.

The investigation confirmed that two email accounts had been subject to unauthorized access in March and June 2022, exposing names, addresses, Social Security numbers, dates of birth, medical diagnoses, prescriptions, treatment information, and health insurance information. Notification letters were sent to the affected individuals on January 10, 2023, almost seven months after the breach was identified

A class action lawsuit was filed in the Eastern District of California by plaintiff Corina Lowrey on January 30, 2023, followed by two further complaints from other Mindpath Health patients. The lawsuits were consolidated into a single complaint – Lowrey, et. al., v. Community Psychiatry Management, LLC – in the Superior Court of California, County of Los Angeles.

The plaintiffs claimed that the breach was a direct consequence of cybersecurity failures by the defendant, with the lawsuit asserting claims of negligence, breach of fiduciary duty, breach of implied contract, breach of confidence, unjust enrichment/quasi-contract, and violations of the California Constitutional Right to Privacy, California Confidentiality of Medical Information Act, California Unfair Competition Law, California Consumer Records Act, California Consumer Privacy Act, and California Consumer Legal Remedies Act.

The defendant maintains that there was no wrongdoing and disagrees with all claims and contentions in the lawsuit; however, following two full-day mediation sessions, all parties reached an agreement to settle the litigation to avoid further legal expenses from what would likely be protracted litigation and the uncertainty of trial and related appeals.

Under the terms of the settlement, the defendant will establish a $3.5 million settlement fund from which attorneys’ fees ($1,166,666.67) and expenses (up to $35,000), settlement administration costs (up to $202,900), and service awards ($5,000 for each of the three plaintiffs) will be deducted. The remainder of the settlement will be used to pay for benefits for the class members.

Class members may submit a claim for reimbursement of documented, unreimbursed ordinary losses due to the data breach up to a maximum of $1,500 per class member, and up to $10,000 as reimbursement for documented, unreimbursed extraordinary losses, including losses due to identity theft and fraud. All class members who submit a valid claim are entitled to three years of credit monitoring services.

As an alternative to the credit monitoring services, class members can choose to receive a pro rata cash payment, expected to be approximately $50. The cash payments may be adjusted upwards or downwards depending on the number of valid claims received. Individuals who were California residents at the time of either of the two email security incidents may claim an additional pro rata cash payment of $50. These payments may also be adjusted based on the number of valid claims received.

The final approval hearing has been scheduled for February 19, 2026. Individuals wishing to object to the settlement, exclude themselves, or submit a claim for benefits must do so by January 5, 2026.

The post $3.5 Million Mindpath Health Data Breach Settlement Gets First Nod appeared first on The HIPAA Journal.