HHS

Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Inmediata Health Group, LLC (Inmediata), a health care clearinghouse, over potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. This follows a complaint to OCR that HIPAA-protected health information was accessible to search engines like Google on the internet. "Health care entities must ensure that patient health information is not left accessible online to anyone with an internet connection," said OCR Director Melanie Fontes Rainer. "Effective cybersecurity requires being proactive and vigilant in identifying risks and [...]

Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced a civil monetary penalty of $548,265 against Children’s Hospital Colorado for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. These violations were reported in breach reports received in 2017 and 2020, relating to email phishing and cyberattacks. OCR is responsible for enforcing the HIPAA Privacy, Security, and Breach Notification Rules, which outline the requirements that covered entities (such as health plans, health care clearinghouses, and most health care providers), and business associates must follow to protect the [...]

Today, the Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS) announced a $1.19 million civil monetary penalty against Gulf Coast Pain Consultants, LLC, operating as Clearway Pain Solutions Institute in Florida. This penalty comes in response to violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule following a breach report indicating that a former contractor had improperly accessed their electronic records system. OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which outline the requirements that health plans, healthcare clearinghouses, most healthcare providers, and their business associates must [...]

The settlement highlights the importance of safeguarding the privacy of PHI, including reproductive health information. Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Holy Redeemer Family Medicine (Holy Redeemer), a Pennsylvania hospital, regarding an alleged violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. The violation involved the impermissible disclosure of a female patient’s protected health information, including details related to reproductive health care. OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which set the standards that covered entities (such as health plans, [...]

Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced a $100,000 civil monetary penalty against Rio Hondo Community Mental Health Center (“Rio Hondo”) in California. The penalty resolves an investigation into Rio Hondo's failure to provide a patient with timely access to their medical records. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule’s right of access provisions require that individuals or their personal representatives have timely access to their health information (within 30 days, with the possibility of one 30-day extension) for a reasonable, cost-based fee. OCR enforces the HIPAA [...]

Today, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a $70,000 civil monetary penalty against Gums Dental Care, LLC, a solo dental practice in Maryland that provides family dental care. This penalty resulted from an investigation based on a complaint that Gums Dental Care failed to provide a patient with timely access to their medical records. According to the HIPAA Privacy Rule’s right of access provisions, individuals or their personal representatives must have timely access to their health information (within 30 days, with a possible one-time 30-day extension) for a reasonable, cost-based fee. “OCR [...]

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), has announced a $240,000 civil monetary penalty against Providence Medical Institute in Southern California. This penalty follows an investigation into potential Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule violations prompted by a ransomware attack. Since 2018, ransomware attacks reported to OCR have increased by 264%. "Failing to implement all HIPAA Security Rule requirements fully leaves covered entities and business associates vulnerable to cyberattacks, compromising patient health information privacy and security," said OCR Director Melanie Fontes Rainer. "The healthcare sector must take cybersecurity seriously [...]

Essex Residential Care, LLC, must pay $100,000 as a result of failing to adhere to HIPAA's Right of Access. The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), has declared a civil monetary penalty of $100,000 against Essex Residential Care, LLC, operating as Hackensack Meridian Health, West Caldwell Care Center (“Hackensack Meridian Health”), a skilled nursing facility offering long-term care and rehabilitation services. The penalty stems from an investigation by OCR into Hackensack Meridian Health's violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule, specifically for failing to promptly provide a [...]

Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced a resolution with Phoenix Healthcare, a nursing care organization in Oklahoma with multiple facilities, regarding a potential violation under the Health Insurance Portability and Accountability Act (HIPAA) Right of Access provision. This settlement marks the 47th enforcement action in the OCR Right of Access Initiative. It mandates that individuals or their personal representatives must have timely access to their health information. According to HIPAA regulations, covered entities must grant access to protected health information within 30 days of receiving a request from an individual. OCR's [...]

Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), disclosed a resolution with Lafourche Medical Group, a Louisiana-based medical entity specializing in emergency medicine, occupational medicine, and laboratory testing. The agreement concludes an inquiry prompted by a phishing attack that impacted the electronic protected health information of around 34,862 individuals. Phishing, a form of cybersecurity attack, involves deceiving individuals into revealing sensitive information through electronic means, like email, by posing as a trustworthy entity. This settlement represents the first instance in which OCR has addressed a phishing attack under the Health Insurance Portability and Accountability Act [...]