HHS Confirms Active Enforcement of Information Blocking Rules

Posted by Steve Alder

At a Thursday hearing, the Senate Health, Education, Labor and Pensions (HELP) Committee heard testimony from Thomas Keane, M.D., M.B.A., Assistant Secretary for Technology Policy and National Coordinator for Health Information Technology (ASTP/ONC) on the HHS’s efforts to make improvements in health and care through the access, exchange, and use of data.

“My top priority is fostering greater data liquidity in the U.S. health care system so that patients and their clinicians are in the driver’s seat. I see how modern data standards, combined with artificial intelligence (AI), can make health care more affordable, accessible, and can support improved health outcomes,” explained Keane.

It has been a decade since the 21st Century Cures Act was enacted in 2016. Key provisions of the act have been implemented, such as the establishment of the Trusted Exchange Framework and Common Agreement (TEFCA) for nationwide health information exchange across health information networks. TEFCA Exchange began in earnest in January 2024, and 11 Qualified Health Information Networks have now signed up and been vetted to facilitate data exchange. More than 70,000 locations nationwide are connected, and the exchange of more than 400 million health records is now supported. While TEFCA has yet to reach its full potential, when that happens, a healthcare provider will be able to access a patient’s full health history, regardless of the electronic health record system where that information is stored.

While the technology exists to support the seamless exchange of health data, information does not always flow unimpeded. At the hearing, HELP Committee members expressed frustration that health data is being blocked by healthcare providers, developers of certified health IT, and health information networks and exchanges. The 21st Century Cures Act prohibited information blocking; however, it took until 2023 to finalize the financial penalties for developers of health IT, and another year to finalize the financial penalties for healthcare providers, and penalties have yet to be imposed for information blocking.

At the hearing, Keane confirmed that the federal government is taking action against entities engaged in information blocking. Since the HHS launched its information blocking complaint portal, more than 1,500 complaints have been filed alleging information blocking, the majority of which were filed by patients. Keane confirmed that ASTP/ONC has started actively enforcing its information blocking rules. A major enforcement initiative was launched in September 2025, targeting noncompliance, which allocated additional resources to support investigations and hold entities accountable for blocking the sharing of electronic health information. In the Fall of last year, the HHS warned developers, providers, and health information exchanges that it announced that it would start cracking down on information blocking.

Since then, ASTP/ONC has been working closely with the HHS Office of Inspector General to ensure that bad actors face meaningful consequences for information blocking, and in February this year, ASTP/ONC sent notices to developers of certified health IT about potential non-conformity under the ONC Health IT Certification Program, requesting information and explanations about non-conformity issues. Should information blocking be confirmed, health IT developers could face penalties of up to $1 million per violation, while providers could be prevented from receiving Medicare payments.

Keane explained that ASTP/ONC is collaborating with the Federal Trade Commission (FTC), Department of Justice (DoJ), and state governments to identify potential anti-competitive business practices and other practices that are preventing the seamless exchange of health information. ASTP/ONC is also continuing to work with providers, health information networks, and health IT developers to improve understanding of what constitutes information blocking and the steps they must take to ensure compliance with the law.

“In [the] not-so-distant future, an individual with multiple chronic conditions can keep all their health information in one secure digital place and share it instantly with a new provider, a caregiver, or a trusted app—no matter where they live or where they receive care,” Keane said.

The post HHS Confirms Active Enforcement of Information Blocking Rules appeared first on The HIPAA Journal.

Business Associate Settles HIPAA Violations Related to Unreported Breach Affecting 15 Million Individuals

Posted by Steve Alder

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has announced its second enforcement action of the year to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). MMG Fusion LLC, a Maryland-based company that provides software solutions to oral healthcare providers, has agreed to settle the alleged violations and pay a financial penalty. The case is significant, as it involves an unreported data breach that affected 15 million individuals.

An unauthorized actor gained access to MMG’s internal network on December 21, 2020, and accessed patients’ protected health information, including names, phone numbers, mailing addresses, email addresses, dates of birth, and dates and times of medical appointments. The threat actor exfiltrated data from MMG’s network and subsequently posted that information on the dark web.

A data breach of that magnitude would have attracted considerable media attention; however, it slipped under the radar as the breach was not reported to OCR, and the affected covered entities were not notified about the data breach. OCR’s investigation was launched not in response to a breach report, but a complaint about an unreported data breach. OCR received the complaint on January 6, 2023, and initiated an investigation in March 2023.

OCR determined that MMG had failed to comply with multiple provisions of the HIPAA Rules. Prior to the data breach, MMG had not conducted a comprehensive and accurate risk assessment to identify risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI), as required by the HIPAA Security Rule.

OCR determined that MMG failed to ensure that ePHI was not used or disclosed for reasons not expressly permitted by the HIPAA Privacy Rule, and MMG failed to issue notifications to the affected covered entity clients that there had been a breach of unsecured protected health information, in violation of the HIPAA Breach Notification Rule. Rather than pursue a civil monetary penalty to resolve the alleged HIPAA violations, OCR agreed to a settlement. MMG has agreed to pay a financial penalty of $10,000 to resolve the alleged HIPAA violations and will adopt a comprehensive corrective action plan.

The corrective action plan requires MMG to conduct a comprehensive and accurate risk analysis to identify risks and vulnerabilities to ePHI. An enterprise-wide risk management plan must be developed and implemented to address and mitigate any risks and vulnerabilities identified by the risk analysis. Policies and procedures must be developed to ensure compliance with the HIPAA Rules, and those policies and procedures must be distributed to members of the workforce. MMG must provide training to its workforce and provide OCR with a copy of the training materials used to train its workforce for them to be assessed.

OCR will provide MMG with feedback on the thoroughness and accuracy of its risk assessment, and MMG must incorporate that feedback into its risk assessment and resubmit it to HHS for additional feedback. That process will continue until HHS is satisfied that the risk assessment is comprehensive and accurate. OCR must also be provided with a comprehensive list of all clients affected by the data breach, and once the risk assessment has been approved by OCR, MMG must notify all affected covered entity clients about the data breach, along with the identities of all patients whose ePHI is reasonably believed to have been impacted.

While not stated in the corrective action plan, the requirements of the HIPAA Breach Notification Rule are that each covered entity must determine if breach notifications are required and must ensure that those notifications are issued within 60 days after receiving a breach notice from a business associate. They are permitted to delegate the notification responsibilities to MMG, per the terms of their business associate agreements. The cost of notification for such a colossal data breach would be high, and if that cost is to be borne by MMG, that could explain why the penalty imposed to resolve multiple violations of the HIPAA Rules is so low.

OCR currently has an enforcement initiative targeting noncompliance with the risk analysis provision of the HIPAA Security Rule and the HIPAA Right of Access of the HIPAA Privacy Rule; however, in 2025, the second-most common reason for a financial penalty behind risk analysis failures was breach notification failures. HIPAA covered entities and their business associates must ensure that timely breach notifications are issued to OCR, the affected individuals, and the media, and in the event of a breach at a business associate, that all affected covered entity clients are notified within 60 days of the discovery of a data breach.

“When a breach occurs, business associates must notify affected covered entities without unreasonable delay and within 60 calendar days of discovery,” said OCR Director Paula M. Stannard. “This timeliness is crucial for a covered entity to meet its own breach notification obligations, such as timely notification to HHS and to individuals. As hacking becomes more ubiquitous, HIPAA Security Rule requirements, such as the need to have an accurate and thorough HIPAA risk analysis, are imperative for strengthening cybersecurity before a breach occurs.”

The post Business Associate Settles HIPAA Violations Related to Unreported Breach Affecting 15 Million Individuals appeared first on The HIPAA Journal.