HHS

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), has announced a settlement with Northeast Surgical Group, P.C. (NESG), a Michigan-based provider of surgical services, for potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. OCR oversees the enforcement of the HIPAA Privacy, Security, and Breach Notification Rules, which are designed to protect the privacy and security of protected health information (PHI) by setting compliance standards for covered entities and business associates. The HIPAA Security Rule establishes national safeguards—administrative, physical, and technical—to ensure the confidentiality, integrity, and security of electronic PHI (ePHI). [...]

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has announced a $90,000 settlement with Virtual Private Network Solutions, LLC (VPN Solutions), a Virginia-based business associate that provides data hosting and cloud services to covered entities and other business associates. This settlement addresses potential violations of the HIPAA Security Rule, which sets national standards for safeguarding electronic protected health information (ePHI). The investigation stemmed from a ransomware attack on VPN Solutions' systems. OCR Director Melanie Fontes Rainer emphasized the importance of proactive security measures, stating, “An accurate and thorough risk analysis is foundational to both HIPAA [...]

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced today that Elgon Information Systems (Elgon), a Massachusetts-based company providing electronic medical record and billing support services to covered entities, has agreed to an $80,000 settlement for violations of the HIPAA Security Rule. OCR enforces HIPAA's Privacy, Security, and Breach Notification Rules, which outline the responsibilities of covered entities—such as health plans, healthcare clearinghouses, and healthcare providers—and their business associates in safeguarding protected health information (PHI). The HIPAA Security Rule establishes national standards to protect electronic PHI (ePHI) through administrative, physical, and technical safeguards. This settlement [...]

Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Inmediata Health Group, LLC (Inmediata), a health care clearinghouse, over potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. This follows a complaint to OCR that HIPAA-protected health information was accessible to search engines like Google on the internet. "Health care entities must ensure that patient health information is not left accessible online to anyone with an internet connection," said OCR Director Melanie Fontes Rainer. "Effective cybersecurity requires being proactive and vigilant in identifying risks and [...]

Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced a civil monetary penalty of $548,265 against Children’s Hospital Colorado for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. These violations were reported in breach reports received in 2017 and 2020, relating to email phishing and cyberattacks. OCR is responsible for enforcing the HIPAA Privacy, Security, and Breach Notification Rules, which outline the requirements that covered entities (such as health plans, health care clearinghouses, and most health care providers), and business associates must follow to protect the [...]

Today, the Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS) announced a $1.19 million civil monetary penalty against Gulf Coast Pain Consultants, LLC, operating as Clearway Pain Solutions Institute in Florida. This penalty comes in response to violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule following a breach report indicating that a former contractor had improperly accessed their electronic records system. OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which outline the requirements that health plans, healthcare clearinghouses, most healthcare providers, and their business associates must [...]

The settlement highlights the importance of safeguarding the privacy of PHI, including reproductive health information. Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Holy Redeemer Family Medicine (Holy Redeemer), a Pennsylvania hospital, regarding an alleged violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. The violation involved the impermissible disclosure of a female patient’s protected health information, including details related to reproductive health care. OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which set the standards that covered entities (such as health plans, [...]

Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced a $100,000 civil monetary penalty against Rio Hondo Community Mental Health Center (“Rio Hondo”) in California. The penalty resolves an investigation into Rio Hondo's failure to provide a patient with timely access to their medical records. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule’s right of access provisions require that individuals or their personal representatives have timely access to their health information (within 30 days, with the possibility of one 30-day extension) for a reasonable, cost-based fee. OCR enforces the HIPAA [...]

Today, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a $70,000 civil monetary penalty against Gums Dental Care, LLC, a solo dental practice in Maryland that provides family dental care. This penalty resulted from an investigation based on a complaint that Gums Dental Care failed to provide a patient with timely access to their medical records. According to the HIPAA Privacy Rule’s right of access provisions, individuals or their personal representatives must have timely access to their health information (within 30 days, with a possible one-time 30-day extension) for a reasonable, cost-based fee. “OCR [...]

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), has announced a $240,000 civil monetary penalty against Providence Medical Institute in Southern California. This penalty follows an investigation into potential Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule violations prompted by a ransomware attack. Since 2018, ransomware attacks reported to OCR have increased by 264%. "Failing to implement all HIPAA Security Rule requirements fully leaves covered entities and business associates vulnerable to cyberattacks, compromising patient health information privacy and security," said OCR Director Melanie Fontes Rainer. "The healthcare sector must take cybersecurity seriously [...]