HHS

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), has reached a settlement with BayCare Health System (BayCare), a Florida-based healthcare provider, regarding potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. The agreement resolves an OCR investigation into a complaint alleging unauthorized access to a patient’s electronic protected health information (ePHI). OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which establish requirements for covered entities—including health plans, healthcare clearinghouses, and most healthcare providers—and their business associates to protect the privacy and security of protected health information (PHI). [...]

WASHINGTON, D.C. — The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), has reached a settlement with Vision Upright MRI, a California-based healthcare provider specializing in magnetic resonance imaging (MRI) services, following potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Breach Notification and Security Rules. The settlement resolves an investigation into a data breach involving an unsecured server that exposed the medical images of 21,778 individuals. Background on HIPAA Rules HIPAA’s Privacy, Security, and Breach Notification Rules require covered entities (healthcare providers, health plans, and clearinghouses) and their business associates to safeguard protected health information (PHI). Key provisions include: Risk Analysis Requirement – Organizations must assess potential [...]

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has reached a settlement with Comprehensive Neurology, PC—a small neurology practice based in New York—over potential violations of the HIPAA Security Rule. This action follows an OCR investigation into a ransomware attack that compromised patient data. OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which mandate how covered entities (such as health care providers, health plans, and clearinghouses) and their business associates must protect patients' protected health information (PHI). Specifically, the HIPAA Security Rule requires administrative, physical, and technical safeguards to ensure the confidentiality, integrity, [...]

Washington, D.C. – The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), has reached a $600,000 settlement with PIH Health, Inc., a California-based healthcare provider, following an investigation into potential HIPAA violations stemming from a phishing attack that compromised sensitive patient data. The breach, reported by PIH in January 2020, occurred in June 2019 when attackers infiltrated 45 employee email accounts, exposing the electronic protected health information (ePHI) of 189,763 individuals. The compromised data included: Names, addresses, and dates of birth Social Security and driver’s license numbers Medical diagnoses, lab results, and treatment details Insurance claims and financial information OCR Findings: Key HIPAA Failures OCR’s investigation revealed that PIH failed to: [...]

The U.S. Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), has announced a settlement with Guam Memorial Hospital Authority (GMHA) regarding potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. This action follows two complaints indicating unauthorized disclosure of patients' electronic protected health information (ePHI). GMHA is a public hospital located on the U.S. Territory of Guam. The HIPAA Privacy, Security, and Breach Notification Rules, enforced by OCR, mandate safeguards for the privacy and security of protected health information by covered entities (including health plans, clearinghouses, and most healthcare [...]

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), has announced a settlement with Northeast Radiology, P.C. (NERAD), a medical imaging provider operating in New York and Connecticut, over potential violations of the HIPAA Security Rule. OCR is responsible for enforcing the HIPAA Privacy, Security, and Breach Notification Rules. These rules establish the requirements that covered entities—such as health plans, healthcare providers, and clearinghouses—and their business associates must follow to protect the privacy and security of protected health information (PHI). The HIPAA Security Rule, in particular, outlines national standards requiring administrative, physical, and technical safeguards to [...]

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has reached a settlement with Health Fitness Corporation (Health Fitness), an Illinois-based provider of wellness plans nationwide, over a potential HIPAA Security Rule violation. OCR is responsible for enforcing the HIPAA Privacy, Security, and Breach Notification Rules, which outline the obligations of covered entities—such as health plans, health care clearinghouses, and most health care providers—as well as business associates like Health Fitness. The HIPAA Security Rule establishes national standards for safeguarding electronic protected health information (ePHI) through administrative, physical, and technical measures that ensure its confidentiality, integrity, [...]

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has imposed a $1.5 million civil money penalty on Warby Parker, Inc., an eyewear manufacturer and online retailer, for violations of the HIPAA Security Rule. The penalty follows an investigation into a data breach caused by unauthorized access to customer accounts by third parties. HIPAA Security Rule and Compliance Requirements OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which require health plans, health care providers, and business associates to safeguard protected health information (PHI). The HIPAA Security Rule sets national standards for protecting electronic PHI [...]

Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced a $200,000 civil monetary penalty against Oregon Health & Science University (OHSU), a public academic health center and research university, for failing to comply with an individual’s right to timely access her medical records through a personal representative. Under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule’s "Right of Access" provisions, individuals or their personal representatives are entitled to timely access to their health information. Covered entities, such as health plans and most healthcare providers, must provide requested records within 30 [...]

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), has announced a settlement with Northeast Surgical Group, P.C. (NESG), a Michigan-based provider of surgical services, for potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. OCR oversees the enforcement of the HIPAA Privacy, Security, and Breach Notification Rules, which are designed to protect the privacy and security of protected health information (PHI) by setting compliance standards for covered entities and business associates. The HIPAA Security Rule establishes national safeguards—administrative, physical, and technical—to ensure the confidentiality, integrity, and security of electronic PHI (ePHI). [...]