Blog

WASHINGTON, D.C. — The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), has reached a settlement with Vision Upright MRI, a California-based healthcare provider specializing in magnetic resonance imaging (MRI) services, following potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Breach Notification and Security Rules. The settlement resolves an investigation into a data breach involving an unsecured server that exposed the medical images of 21,778 individuals. Background on HIPAA Rules HIPAA’s Privacy, Security, and Breach Notification Rules require covered entities (healthcare providers, health plans, and clearinghouses) and their business associates to safeguard protected health information (PHI). Key provisions include: Risk Analysis Requirement – Organizations must assess potential [...]

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has reached a settlement with Comprehensive Neurology, PC—a small neurology practice based in New York—over potential violations of the HIPAA Security Rule. This action follows an OCR investigation into a ransomware attack that compromised patient data. OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which mandate how covered entities (such as health care providers, health plans, and clearinghouses) and their business associates must protect patients' protected health information (PHI). Specifically, the HIPAA Security Rule requires administrative, physical, and technical safeguards to ensure the confidentiality, integrity, [...]

Washington, D.C. – The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), has reached a $600,000 settlement with PIH Health, Inc., a California-based healthcare provider, following an investigation into potential HIPAA violations stemming from a phishing attack that compromised sensitive patient data. The breach, reported by PIH in January 2020, occurred in June 2019 when attackers infiltrated 45 employee email accounts, exposing the electronic protected health information (ePHI) of 189,763 individuals. The compromised data included: Names, addresses, and dates of birth Social Security and driver’s license numbers Medical diagnoses, lab results, and treatment details Insurance claims and financial information OCR Findings: Key HIPAA Failures OCR’s investigation revealed that PIH failed to: [...]

The U.S. Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), has announced a settlement with Guam Memorial Hospital Authority (GMHA) regarding potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. This action follows two complaints indicating unauthorized disclosure of patients' electronic protected health information (ePHI). GMHA is a public hospital located on the U.S. Territory of Guam. The HIPAA Privacy, Security, and Breach Notification Rules, enforced by OCR, mandate safeguards for the privacy and security of protected health information by covered entities (including health plans, clearinghouses, and most healthcare [...]

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), has announced a settlement with Northeast Radiology, P.C. (NERAD), a medical imaging provider operating in New York and Connecticut, over potential violations of the HIPAA Security Rule. OCR is responsible for enforcing the HIPAA Privacy, Security, and Breach Notification Rules. These rules establish the requirements that covered entities—such as health plans, healthcare providers, and clearinghouses—and their business associates must follow to protect the privacy and security of protected health information (PHI). The HIPAA Security Rule, in particular, outlines national standards requiring administrative, physical, and technical safeguards to [...]

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has reached a settlement with Health Fitness Corporation (Health Fitness), an Illinois-based provider of wellness plans nationwide, over a potential HIPAA Security Rule violation. OCR is responsible for enforcing the HIPAA Privacy, Security, and Breach Notification Rules, which outline the obligations of covered entities—such as health plans, health care clearinghouses, and most health care providers—as well as business associates like Health Fitness. The HIPAA Security Rule establishes national standards for safeguarding electronic protected health information (ePHI) through administrative, physical, and technical measures that ensure its confidentiality, integrity, [...]

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has imposed a $1.5 million civil money penalty on Warby Parker, Inc., an eyewear manufacturer and online retailer, for violations of the HIPAA Security Rule. The penalty follows an investigation into a data breach caused by unauthorized access to customer accounts by third parties. HIPAA Security Rule and Compliance Requirements OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which require health plans, health care providers, and business associates to safeguard protected health information (PHI). The HIPAA Security Rule sets national standards for protecting electronic PHI [...]