Skip to main content

Nixon Peabody LLP

  • People
  • Capabilities
  • Insights
  • About
Trending Topics
    • People
    • Capabilities
    • Insights
    • About
    • Locations
    • Events
    • Careers
    • Alumni
    Practices

    View All

    • Affordable Housing
    • Community Development Finance
    • Corporate & Finance
    • Cybersecurity & Privacy
    • Entertainment & Media
    • Environmental
    • Franchising & Distribution
    • Government Investigations & White Collar Defense
    • Healthcare
    • Intellectual Property
    • International Services
    • Labor, Employment, and Benefits
    • Litigation
    • Private Wealth & Advisory
    • Project Finance
    • Public Finance
    • Real Estate
    • Regulatory & Government Relations
    Industries

    View All

    • Aviation
    • Cannabis
    • Consumer
    • Energy
    • Financial Services
    • Healthcare
    • Higher Education
    • Infrastructure
    • Manufacturing
    • Nonprofit Organizations
    • Real Estate
    • Sports & Stadiums
    • Technology
    Value-Added Services

    View All

    • Alternative Fee Arrangements

      Developing innovative pricing structures and alternative fee agreement models that deliver additional value for our clients.

    • Continuing Education

      Advancing professional knowledge and offering credits for attorneys, staff and other professionals.

    • Crisis Advisory

      Helping clients respond correctly when a crisis occurs.

    • DEI Strategic Services

      Providing our clients with legal, strategic, and practical advice to make transformational changes in their organizations.

    • eDiscovery

      Leveraging law and technology to deliver sound solutions.

    • Environmental, Social, and Governance (ESG)

      We help clients create positive return on investments in people, products, and the planet.

    • Global Services

      Delivering seamless service through partnerships across the globe.

    • Innovation

      Leveraging leading-edge technology to guide change and create seamless, collaborative experiences for clients and attorneys.

    • IPED

      Industry-leading conferences focused on affordable housing, tax credits, and more.

    • Legal Project Management

      Providing actionable information to support strategic decision-making.

    • Legally Green

      Teaming with clients to advance sustainable projects, mitigate the effects of climate change, and protect our planet.

    • Nixon Peabody Trust Company

      Offering a range of investment management and fiduciary services.

    • NP Capital Connector

      Bringing together companies and investors for tomorrow’s new deals.

    • NP Second Opinion

      Offering fresh insights on cases that are delayed, over budget, or off-target from the desired resolution.

    • NP Trial

      Courtroom-ready lawyers who can resolve disputes early on clients’ terms or prevail at trial before a judge or jury.

    • Social Impact

      Creating positive impact in our communities through increasing equity, access, and opportunity.

    • Women in Dealmaking

      We provide strategic counsel on complex corporate transactions and unite dynamic women in the dealmaking arena.

    1. Home
    2. Insights
    3. Articles
    4. Lessons learned from OCR’s recent HIPAA enforcement

      Articles

    Article

    Lessons learned from OCR’s recent HIPAA enforcement

    Oct 5, 2023

    LinkedInX (Twitter)EmailCopy URL

    By Valerie MontagueLegal intern Grace Connelly in Nixon Peabody's Healthcare practice assisted with the preparation of this article.

    The OCR enforcement actions released in the summer of 2023 provide important reminders to HIPAA covered entities and business associates on how to strengthen their HIPAA compliance programs and safeguard protected health information.

    The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) issued a number of resolution agreements during the summer of 2023. These resolution agreements are diverse in the types of entities involved, as well as the identified issues of HIPAA noncompliance. There are several takeaways from the resolution agreements, as well as the corresponding corrective action plans (CAPs), that remind HIPAA-regulated entities of important compliance obligations.

    Access restrictions provide fundamental security protection.

    On June 15, 2023, OCR entered into a resolution agreement with Yakima Valley Memorial Hospital, a not-for-profit community hospital in Yakima, Washington, to resolve allegations that workforce members violated HIPAA by “snooping” in patients’ medical records.

    In February 2018, the hospital notified OCR of a HIPAA breach involving security guards using their electronic health record login credentials to access patient records without a job-related purpose, allegedly impermissibly accessing the protected health information (PHI) of 419 individuals. OCR initiated an investigation and determined that Yakima Valley Memorial Hospital did not have adequate policies and procedures in place to comply with the HIPAA Security Rule.

    In addition to paying $240,000, OCR required Yakima Valley Memorial Hospital to enter into a two-year CAP. The CAP requires the hospital to conduct a security risk analysis and implement a risk management plan, as well as to develop, maintain, and revise its written HIPAA policies and procedures and enhance its existing HIPAA and security training.

    In its summary of the enforcement action, OCR emphasizes the need for a HIPAA-regulated entity to comply with the HIPAA Security Rule requirement of restricting access to patient information and providing workforce members only with the access necessary to perform their job duties. Covered entities and business associates also need to ensure that their HIPAA compliance program covers the entirety of their organization, from the front-line clinical staff to the CEO to janitors and other support staff, and that HIPAA training is provided to each workforce member.

    An enterprise-wide security risk analysis remains a key component of HIPAA compliance.

    In resolution agreements released in May and June 2023, OCR entered into settlement agreements with two business associates following investigations of HIPAA breaches, with OCR concluding that both organizations lacked sufficient enterprise-wide security risk analyses.

    In August 2017, OCR received a breach notification report from iHealth Solutions, Inc., stating that the PHI of 267 individuals was exfiltrated from an unsecured server by an unauthorized person. iHealth Solutions is a Kentucky-based business associate that provides billing, coding, and information technology services to healthcare providers. OCR’s investigation revealed that iHealth Solutions failed to conduct an adequate security risk analysis to determine risks and vulnerabilities to electronic PHI across the organization. In a settlement announced on June 28, 2023, iHealth Solution agreed to pay $75,000 and implement a two-year CAP.

    Similarly, in May 2023, OCR announced a settlement with MedEvolve, Inc., also a HIPAA business associate that provides practice management, revenue cycle management, and practice analytics software services. In July 2018, OCR received a breach notification report stating that a file transfer protocol (FTP) server containing the PHI of 230,572 individuals had been openly accessible on the internet since January 1, 2018. OCR found that MedEvolve did not conduct a “sufficiently accurate or thorough” risk analysis. Pursuant to its settlement with OCR, MedEvolve agreed to pay $350,000 and enter into a two-year CAP.

    While the lack of an enterprise-wide risk analysis is a common element of HIPAA noncompliance, it is also a key enforcement point for OCR. Covered entities, business associates, and subcontractor business associates who have not yet conducted a risk analysis or whose existing analysis is not broad enough to assess all of the risks and vulnerabilities to electronic PHI held by the organization should take steps to conduct a thorough and complete risk analysis.

    “Small” breaches may bring enforcement.

    It is also important to note that the investigations of both Yakima Valley Memorial Hospital and iHealth Solutions followed OCR’s receipt of breach notifications for “small” breaches—those affecting less than 500 individuals. While “small” breaches do not automatically trigger an OCR investigation, OCR has the discretion to commence an investigation of any HIPAA breach; it is important for covered entities and business associates to remember that breaches, no matter how small, can trigger an investigation, which may lead to findings of HIPAA noncompliance.

    HIPAA-regulated entities must use caution when responding to online reviews.

    OCR announced a settlement with Manasa Health Center, LLC on June 5, 2023, to resolve allegations that the psychiatric practice impermissibly disclosed PHI in its response to a patient’s online review.

    In April 2020, OCR received a complaint alleging that the Manasa Health Center impermissibly disclosed the PHI of a patient when the entity posted a response to the patient’s negative Google review. The health center’s response allegedly included information about the individual’s diagnosis and treatment of their mental health condition. OCR’s subsequent investigation revealed potential HIPAA violations, including impermissible disclosures of PHI of four patients in response to negative Google reviews and the failure of the entity to implement HIPAA Privacy Rule policies and procedures. Manasa Health Center agreed to pay $30,000 and entered into a two-year CAP.

    Through this enforcement action, OCR emphasizes to HIPAA-regulated entities that disclosures of information on social media and through internet posts must not impermissibly contain PHI. Covered entities and business associates should take care in their responses, as even confirmation of facts posted online by a patient may raise compliance issues under HIPAA. Entities should ensure that their public relations, social media, and administrative teams are trained on acceptable online responses and what content may result in a HIPAA breach.

    OCR’s Right of Access Initiative remains an enforcement priority.

    In the last settlement released during the summer of 2023, OCR published its 45th HIPAA Right of Access Initiative settlement and its first with a health plan. UnitedHealthcare Insurance Company agreed to pay $80,000 and enter into a one-year CAP to resolve allegations that the health plan did provide an individual with a copy of their records until six months after the initial request.

    The right of access is a fundamental patient right under the HIPAA Privacy Rule. Healthcare providers, health plans, and any business associates assisting with the provision of access to records must ensure that they are following the requirements of the HIPAA Privacy Rule with respect to the provision of access. A HIPAA covered entity must provide patient access within 30 days of a request unless it has a reason to deny the request, as permissible under the Privacy Rule, or it has a valid reason to extend its response time by no more than 30 days. Previous OCR guidance indicates that this 30-day requirement is an “outer limit,” encouraging covered entities to provide access as soon as possible. Health plans and other HIPAA-regulated entities should take care to ensure that their workforce, particularly the administrative staff and medical records personnel who receive records requests, have a comprehensive understanding of this HIPAA requirement.

    The OCR resolution agreements released in the summer of 2023 provide HIPAA covered entities and business associates with a roadmap of some key compliance considerations. Entities can use these examples to ensure that they have adopted robust compliance policies and procedures and to enhance workforce training to better inform their teams of HIPAA compliance obligations.

    OCR Action

    Practices

    Cybersecurity & PrivacyHealth Information - Privacy, Security & Data Sharing

    Insights And Happenings

    • Alert

      New York proposes cybersecurity regulations for hospitals

      Nov 27, 2023
    • Video

      How do EU companies respond to ransomware attacks?

      Cybersecurity & Privacy
      Oct 16, 2023
    • Article

      What is the right to privacy?

      Sep 15, 2023
    The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.

    Subscribe to stay informed of the latest legal news, alerts, and business trends.Subscribe

    • People
    • Capabilities
    • Insights
    • About
    • Locations
    • Events
    • Careers
    • Alumni
    • Cookie Preferences
    • Privacy Policy
    • Terms of Use
    • Accessibility Statement
    • Statement of Client Rights
    • Purchase Order Terms & Conditions
    • Nixon Peabody International LLC
    • PAL
    © 2025 Nixon Peabody. All rights reserved