As enforcement activity continues from the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), HIPAA-regulated entities are urged to start 2025 by ensuring robust compliance with the HIPAA regulations.
Phishing incident results in double breach
On January 14, 2025, OCR announced a $3,000,000 settlement with Solara Medical Supplies, LLC (Solara), a supplier and direct-to-patient distributor of continuous glucose monitors, insulin pumps, and other supplies to patients with diabetes, over alleged violations of the HIPAA Security Rule and Breach Notification Rule. OCR began investigating Solara in November 2019 after receiving a breach report concerning a phishing incident where an unauthorized third party accessed email accounts of Solara employees. The incident resulted in the breach of 114,007 individuals’ electronic protected health information (ePHI). When sending required breach notifications to individuals affected by the phishing attack, Solara sent 1,531 breach notification letters to the wrong addresses, resulting in a second breach report to OCR.
In addition to the monetary settlement, Solara’s resolution agreement includes a two-year corrective action plan (CAP) that requires Solara to:
- Conduct a comprehensive security risk analysis evaluating risks and vulnerabilities to ePHI;
- Develop and implement a risk management plan to identify and mitigate security risks and vulnerabilities detected in its security risk analysis;
- Maintain and revise, as necessary, policies and procedures that are compliant with HIPAA; and
- Train its workforce members on HIPAA policies and procedures.
Ransomware attack results in OCR’s fourth enforcement action in Risk Analysis Initiative
Shortly after issuing the second and third enforcement actions in OCR’s Risk Analysis Initiative, OCR announced a settlement with Northeast Surgical Group, P.C. (NESG), a Michigan-based surgical services provider, after investigating a ransomware incident reported in March 2023. The incident resulted in the ePHI of 15,298 patients being encrypted and exfiltrated from the NESG network. OCR’s investigation revealed that NESG did not conduct a HIPAA-compliant security risk analysis to identify potential risks and vulnerabilities to ePHI. In addition to the $10,000 financial settlement, NESG is subject to a two-year CAP that ensures the necessary steps are taken to comply with the HIPAA Security Rule, including evaluating its security risk analysis and implementing a risk management plan to address any security risks and vulnerabilities.
Beyond breach-related enforcement actions, OCR continues to prioritize its Right of Access Initiative
On January 15, 2025, OCR announced an enforcement action against South Broward Hospital District d/b/a Memorial Healthcare System (Memorial Healthcare System) for alleged violations of the HIPAA Privacy Rule’s right of access requirements. This marks OCR’s 52nd enforcement action under its Right of Access Initiative. As with past enforcement actions, OCR has emphasized that right of access continues to be a priority. OCR settled with Memorial Healthcare System for $60,000 after investigating a complaint from an individual that he was not given timely access to his medical records, even after multiple requests via the patient portal, mail, and phone. According to the Notice of Proposed Determination, the individual did not receive his records until September 2021, despite his initial records request in December 2020. HIPAA-regulated entities are required to provide access to protected health information (PHI) within 30 days of receiving a request by an individual or their personal representative, unless information is not readily accessible, in which case the entity may extend the time by no more than an additional 30 days.
Takeaways for HIPAA-regulated entities
As OCR continues investigations under its Right of Access Initiative and its Risk Analysis Initiative, HIPAA-regulated entities should start 2025 by reviewing their compliance with HIPAA. Covered entities should take steps to strengthen training for their workforce members who receive record access requests from patients or their personal representatives and for workforce members who are involved in the breach notification process. Covered entities should consider specialized training for certain job roles to ensure that workforce members are adequately trained on HIPAA policies and procedures.
OCR’s enforcement actions emphasize the importance of comprehensive security risk analyses. Covered entities should ensure that they are conducting a comprehensive and compliant enterprise-wide assessment of potential security risks and vulnerabilities that addresses any factors that could affect the confidentiality, integrity, and availability of ePHI. The security risk analysis should also identify all of the PHI received, maintained, or transmitted by the organization. Finally, HIPAA-regulated entities must address deficiencies identified within security risk analyses and implement adequate safeguards to preserve the confidentiality, integrity, and availability of ePHI.