Posts

Showing posts with the label resolution agreement

2025 Enforcement Trends: Risk Analysis Failures at the Center of HHS’s Multimillion-Dollar HIPAA Penalties

Image
In the first five months of 2025, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) announced it had entered into ten Health Insurance Portability and Accountability Act (HIPAA) resolution agreements reflecting the settlement of alleged HIPAA violations stemming from data breaches reported to OCR . These settlements span both the Biden and Trump administrations and involve a wide range of covered entities and business associates, from small physician groups to larger hospital authorities and IT service providers. Despite the diversity of organizations and underlying incidents, however, OCR’s enforcement focuses appear strikingly consistent. Each announcement indicates the resolution agreement was intended to cure defects in basic HIPAA Security Rule compliance, with a common emphasis on each organization’s failure to conduct a thorough risk analysis consistent with the HIPAA Security Rule. Quick Hits The HIPAA Security Rule requires HIPAA-covered ent...