Posts

Showing posts with the label ePHI

OCR Announces HIPAA Enforcement Action Against Self-Funded Group Health Plan

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently  announced  a HIPAA enforcement action against an employer-sponsored group health plan. The action resulted in a payment to HHS of $245,000 and a two-year corrective action plan. While HIPAA enforcement is common in the healthcare sector, actions directly against employer-sponsored group health plans are not as common. This case,  coupled with DOL guidance for ERISA fiduciaries concerning cybersecurity , underscores a growing regulatory focus not only on traditional healthcare entities, but also on the plans and ecosystems maintained by employers under ERISA. The Incident: Ransomware, Unauthorized Access, and Plan Data According to the breach notification sent to affected individuals, the plan sponsor experienced a security incident back in 2021 involving encryption of systems and unauthorized access to sensitive data . The data included names and Social Security numbers, along ...

OCR’s Risk Analysis Initiative: Lessons From Recent HIPAA Enforcement Actions

Health care organizations are under pressure to shore up their cybersecurity response efforts. Much of this pressure is coming from the  US  Department of Health and Human Services Office for Civil Rights ( OCR ) , which has made clear through recent enforcement actions that conducting a proper risk assessment under the Health Insurance Portability and Accountability Act ( HIPAA ) Security Rule is not optional. These enforcement actions ratcheted up during the Biden Administration and have continued during the Trump Administration, signaling that risk analysis remains a top compliance priority for organizations charged with complying with HIPAA. HIPAA’s Risk Assessment Requirement and Why It Matters Under the HIPAA Security Rule (as codified in 45 C.F.R. § 164.308), all HIPAA covered health care providers, health plans, health care clearinghouses (covered entities), and their business associates (collectively, regulated entities) must “[c]onduct an accurate and thorough a...

2025 Enforcement Trends: Risk Analysis Failures at the Center of HHS’s Multimillion-Dollar HIPAA Penalties

Image
In the first five months of 2025, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) announced it had entered into ten Health Insurance Portability and Accountability Act (HIPAA) resolution agreements reflecting the settlement of alleged HIPAA violations stemming from data breaches reported to OCR . These settlements span both the Biden and Trump administrations and involve a wide range of covered entities and business associates, from small physician groups to larger hospital authorities and IT service providers. Despite the diversity of organizations and underlying incidents, however, OCR’s enforcement focuses appear strikingly consistent. Each announcement indicates the resolution agreement was intended to cure defects in basic HIPAA Security Rule compliance, with a common emphasis on each organization’s failure to conduct a thorough risk analysis consistent with the HIPAA Security Rule. Quick Hits The HIPAA Security Rule requires HIPAA-covered ent...