HHS

WASHINGTON — A substance use disorder treatment center in Illinois has agreed to pay a $103,000 penalty and submit to two years of federal monitoring after a successful phishing attack compromised the private health information of nearly 2,000 patients. The U.S. Department of Health and Human Services (HHS) announced a settlement this week with Top of the World Ranch Treatment Center (TWRTC) regarding potential violations of the HIPAA Security Rule. The enforcement action is part of a ongoing initiative by the HHS Office for Civil Rights (OCR) to ensure healthcare organizations are properly analyzing their security risks. The investigation was triggered by [...]

The U.S. Department of Health and Human Services (HHS) has settled with healthcare provider Concentra, Inc. for failing to provide a patient with timely access to their own medical records. An investigation found that after a patient made six requests starting in February 2018, Concentra did not provide the records until March 2019—over a year later. HIPAA law requires providers to fulfill such requests within 30 days. Concentra has agreed to pay $112,500 to resolve the case. This marks the 54th enforcement action under HHS's "Right of Access" initiative, which emphasizes that patients have a fundamental right to access their health [...]

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), has reached a settlement with Deer Oaks – The Behavioral Health Solution over potential violations of the HIPAA Privacy and Security Rules. Deer Oaks, which offers psychological and psychiatric services to residents in long-term care and assisted living facilities, was found to have failed key compliance obligations under HIPAA. OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules to ensure that covered entities—such as health plans, most healthcare providers, and their business associates—safeguard protected health information (PHI). The Privacy Rule establishes standards for the use and [...]

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), has reached a settlement with BayCare Health System (BayCare), a Florida-based healthcare provider, regarding potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. The agreement resolves an OCR investigation into a complaint alleging unauthorized access to a patient’s electronic protected health information (ePHI). OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which establish requirements for covered entities—including health plans, healthcare clearinghouses, and most healthcare providers—and their business associates to protect the privacy and security of protected health information (PHI). [...]

WASHINGTON, D.C. — The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), has reached a settlement with Vision Upright MRI, a California-based healthcare provider specializing in magnetic resonance imaging (MRI) services, following potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Breach Notification and Security Rules. The settlement resolves an investigation into a data breach involving an unsecured server that exposed the medical images of 21,778 individuals. Background on HIPAA Rules HIPAA’s Privacy, Security, and Breach Notification Rules require covered entities (healthcare providers, health plans, and clearinghouses) and their business associates to safeguard protected health information (PHI). Key provisions include: Risk Analysis Requirement – Organizations must assess potential [...]

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has reached a settlement with Comprehensive Neurology, PC—a small neurology practice based in New York—over potential violations of the HIPAA Security Rule. This action follows an OCR investigation into a ransomware attack that compromised patient data. OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which mandate how covered entities (such as health care providers, health plans, and clearinghouses) and their business associates must protect patients' protected health information (PHI). Specifically, the HIPAA Security Rule requires administrative, physical, and technical safeguards to ensure the confidentiality, integrity, [...]

Washington, D.C. – The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), has reached a $600,000 settlement with PIH Health, Inc., a California-based healthcare provider, following an investigation into potential HIPAA violations stemming from a phishing attack that compromised sensitive patient data. The breach, reported by PIH in January 2020, occurred in June 2019 when attackers infiltrated 45 employee email accounts, exposing the electronic protected health information (ePHI) of 189,763 individuals. The compromised data included: Names, addresses, and dates of birth Social Security and driver’s license numbers Medical diagnoses, lab results, and treatment details Insurance claims and financial information OCR Findings: Key HIPAA Failures OCR’s investigation revealed that PIH failed to: [...]

The U.S. Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), has announced a settlement with Guam Memorial Hospital Authority (GMHA) regarding potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. This action follows two complaints indicating unauthorized disclosure of patients' electronic protected health information (ePHI). GMHA is a public hospital located on the U.S. Territory of Guam. The HIPAA Privacy, Security, and Breach Notification Rules, enforced by OCR, mandate safeguards for the privacy and security of protected health information by covered entities (including health plans, clearinghouses, and most healthcare [...]

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), has announced a settlement with Northeast Radiology, P.C. (NERAD), a medical imaging provider operating in New York and Connecticut, over potential violations of the HIPAA Security Rule. OCR is responsible for enforcing the HIPAA Privacy, Security, and Breach Notification Rules. These rules establish the requirements that covered entities—such as health plans, healthcare providers, and clearinghouses—and their business associates must follow to protect the privacy and security of protected health information (PHI). The HIPAA Security Rule, in particular, outlines national standards requiring administrative, physical, and technical safeguards to [...]

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has reached a settlement with Health Fitness Corporation (Health Fitness), an Illinois-based provider of wellness plans nationwide, over a potential HIPAA Security Rule violation. OCR is responsible for enforcing the HIPAA Privacy, Security, and Breach Notification Rules, which outline the obligations of covered entities—such as health plans, health care clearinghouses, and most health care providers—as well as business associates like Health Fitness. The HIPAA Security Rule establishes national standards for safeguarding electronic protected health information (ePHI) through administrative, physical, and technical measures that ensure its confidentiality, integrity, [...]