Posts

Showing posts with the label OCR

OCR Announces HIPAA Enforcement Action Against Self-Funded Group Health Plan

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently  announced  a HIPAA enforcement action against an employer-sponsored group health plan. The action resulted in a payment to HHS of $245,000 and a two-year corrective action plan. While HIPAA enforcement is common in the healthcare sector, actions directly against employer-sponsored group health plans are not as common. This case,  coupled with DOL guidance for ERISA fiduciaries concerning cybersecurity , underscores a growing regulatory focus not only on traditional healthcare entities, but also on the plans and ecosystems maintained by employers under ERISA. The Incident: Ransomware, Unauthorized Access, and Plan Data According to the breach notification sent to affected individuals, the plan sponsor experienced a security incident back in 2021 involving encryption of systems and unauthorized access to sensitive data . The data included names and Social Security numbers, along ...

OCR’s Risk Analysis Initiative: Lessons From Recent HIPAA Enforcement Actions

Health care organizations are under pressure to shore up their cybersecurity response efforts. Much of this pressure is coming from the  US  Department of Health and Human Services Office for Civil Rights ( OCR ) , which has made clear through recent enforcement actions that conducting a proper risk assessment under the Health Insurance Portability and Accountability Act ( HIPAA ) Security Rule is not optional. These enforcement actions ratcheted up during the Biden Administration and have continued during the Trump Administration, signaling that risk analysis remains a top compliance priority for organizations charged with complying with HIPAA. HIPAA’s Risk Assessment Requirement and Why It Matters Under the HIPAA Security Rule (as codified in 45 C.F.R. § 164.308), all HIPAA covered health care providers, health plans, health care clearinghouses (covered entities), and their business associates (collectively, regulated entities) must “[c]onduct an accurate and thorough a...

2025 Enforcement Trends: Risk Analysis Failures at the Center of HHS’s Multimillion-Dollar HIPAA Penalties

Image
In the first five months of 2025, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) announced it had entered into ten Health Insurance Portability and Accountability Act (HIPAA) resolution agreements reflecting the settlement of alleged HIPAA violations stemming from data breaches reported to OCR . These settlements span both the Biden and Trump administrations and involve a wide range of covered entities and business associates, from small physician groups to larger hospital authorities and IT service providers. Despite the diversity of organizations and underlying incidents, however, OCR’s enforcement focuses appear strikingly consistent. Each announcement indicates the resolution agreement was intended to cure defects in basic HIPAA Security Rule compliance, with a common emphasis on each organization’s failure to conduct a thorough risk analysis consistent with the HIPAA Security Rule. Quick Hits The HIPAA Security Rule requires HIPAA-covered ent...

Industry Groups Urge Rescission of Proposed HIPAA Security Rule Updates

In February, a coalition of healthcare organizations sent  a letter  to President Donald J. Trump and the U.S. Department of Health and Human Services (HHS) (the Letter), urging the immediate rescission of a  proposed update to the Security Rule under HIPAA . The update is aimed at strengthening safeguards for securing electronic protected health information. According to  The HIPAA Journal , the data breach trend in the healthcare industry over the past 14 years is up, not down. This is the case despite the  HIPAA Security Rule  having been in effect since 2005. The HIPAA Journal goes on to provide some sobering statistics: Between October 21, 2009, when OCR first started publishing summaries of data breach reports on its “Wall of Shame”, and and December 31, 2023, 5,887 large healthcare data breaches have been reported. On January 22, 2023, the breach portal listed 857 data breaches as still; under investigation. This time last year there were 882 breach...

OCR Settles Fourth Ransomware Investigation

  The Office for Civil Rights of the Department of Health and Human Services (OCR) announced on September 26, 2024, that it had entered a   settlement   with Cascade Eye and Skin Centers (together, Cascade) for $250,000 following an investigation of a ransomware attack against them. This is the fourth settlement against a victim of a ransomware attack. According to the OCR’s press release, “ Ransomware and hacking are the primary cyber-threats in health care. Since 2018, there has been a 264% increase in large breaches reported to OCR involving ransomware attacks.” The OCR’s investigation found that 291,000 files were affected by the attack. During its investigation, it alleges that Cascade potentially violated HIPAA by failing to conduct a risk analysis and to have sufficient monitoring of its systems to prevent a cyber-attack. The settlement is a stark reminder to covered entities and business associates that even if you are a victim of a criminal attack, you are still ...