Skip to main content

Nixon Peabody LLP

  • People
  • Capabilities
  • Insights
  • About
Trending Topics
    • People
    • Capabilities
    • Insights
    • About
    • Locations
    • Events
    • Careers
    • Alumni
    Practices

    View All

    • Affordable Housing
    • Community Development Finance
    • Corporate & Finance
    • Cybersecurity & Privacy
    • Entertainment & Media
    • Environmental
    • Franchising & Distribution
    • Government Investigations & White Collar Defense
    • Healthcare
    • Intellectual Property
    • International Services
    • Labor, Employment, and Benefits
    • Litigation
    • Private Wealth & Advisory
    • Project Finance
    • Public Finance
    • Real Estate
    • Regulatory & Government Relations
    Industries

    View All

    • Aviation
    • Cannabis
    • Consumer
    • Energy
    • Financial Services
    • Healthcare
    • Higher Education
    • Infrastructure
    • Manufacturing
    • Nonprofit Organizations
    • Real Estate
    • Sports & Stadiums
    • Technology
    Value-Added Services

    View All

    • Alternative Fee Arrangements

      Developing innovative pricing structures and alternative fee agreement models that deliver additional value for our clients.

    • Continuing Education

      Advancing professional knowledge and offering credits for attorneys, staff and other professionals.

    • Crisis Advisory

      Helping clients respond correctly when a crisis occurs.

    • DEI Strategic Services

      Providing our clients with legal, strategic, and practical advice to make transformational changes in their organizations.

    • eDiscovery

      Leveraging law and technology to deliver sound solutions.

    • Environmental, Social, and Governance (ESG)

      We help clients create positive return on investments in people, products, and the planet.

    • Global Services

      Delivering seamless service through partnerships across the globe.

    • Innovation

      Leveraging leading-edge technology to guide change and create seamless, collaborative experiences for clients and attorneys.

    • IPED

      Industry-leading conferences focused on affordable housing, tax credits, and more.

    • Legal Project Management

      Providing actionable information to support strategic decision-making.

    • Legally Green

      Teaming with clients to advance sustainable projects, mitigate the effects of climate change, and protect our planet.

    • Nixon Peabody Trust Company

      Offering a range of investment management and fiduciary services.

    • NP Capital Connector

      Bringing together companies and investors for tomorrow’s new deals.

    • NP Second Opinion

      Offering fresh insights on cases that are delayed, over budget, or off-target from the desired resolution.

    • NP Trial

      Courtroom-ready lawyers who can resolve disputes early on clients’ terms or prevail at trial before a judge or jury.

    • Social Impact

      Creating positive impact in our communities through increasing equity, access, and opportunity.

    • Women in Dealmaking

      We provide strategic counsel on complex corporate transactions and unite dynamic women in the dealmaking arena.

    1. Home
    2. Insights
    3. Articles
    4. OCR continues busy start to 2025 with three more HIPAA settlements

      Articles

    Article

    OCR continues busy start to 2025 with three more HIPAA settlements

    Jan 21, 2025

    LinkedInX (Twitter)EmailCopy URL

    By Grace Connelly, Meredith LaMaster and Valerie Montague

    In an active start to the year, OCR’s three most recent enforcement actions emphasize the importance of compliance with both the HIPAA Security Rule and the Privacy Rule Right of Access requirement.

    As enforcement activity continues from the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), HIPAA-regulated entities are urged to start 2025 by ensuring robust compliance with the HIPAA regulations.

    Phishing incident results in double breach

    On January 14, 2025, OCR announced a $3,000,000 settlement with Solara Medical Supplies, LLC (Solara), a supplier and direct-to-patient distributor of continuous glucose monitors, insulin pumps, and other supplies to patients with diabetes, over alleged violations of the HIPAA Security Rule and Breach Notification Rule. OCR began investigating Solara in November 2019 after receiving a breach report concerning a phishing incident where an unauthorized third party accessed email accounts of Solara employees. The incident resulted in the breach of 114,007 individuals’ electronic protected health information (ePHI). When sending required breach notifications to individuals affected by the phishing attack, Solara sent 1,531 breach notification letters to the wrong addresses, resulting in a second breach report to OCR.

    In addition to the monetary settlement, Solara’s resolution agreement includes a two-year corrective action plan (CAP) that requires Solara to:

    • Conduct a comprehensive security risk analysis evaluating risks and vulnerabilities to ePHI;
    • Develop and implement a risk management plan to identify and mitigate security risks and vulnerabilities detected in its security risk analysis;
    • Maintain and revise, as necessary, policies and procedures that are compliant with HIPAA; and
    • Train its workforce members on HIPAA policies and procedures.

    Ransomware attack results in OCR’s fourth enforcement action in Risk Analysis Initiative

    Shortly after issuing the second and third enforcement actions in OCR’s Risk Analysis Initiative, OCR announced a settlement with Northeast Surgical Group, P.C. (NESG), a Michigan-based surgical services provider, after investigating a ransomware incident reported in March 2023. The incident resulted in the ePHI of 15,298 patients being encrypted and exfiltrated from the NESG network. OCR’s investigation revealed that NESG did not conduct a HIPAA-compliant security risk analysis to identify potential risks and vulnerabilities to ePHI. In addition to the $10,000 financial settlement, NESG is subject to a two-year CAP that ensures the necessary steps are taken to comply with the HIPAA Security Rule, including evaluating its security risk analysis and implementing a risk management plan to address any security risks and vulnerabilities.

    Beyond breach-related enforcement actions, OCR continues to prioritize its Right of Access Initiative

    On January 15, 2025, OCR announced an enforcement action against South Broward Hospital District d/b/a Memorial Healthcare System (Memorial Healthcare System) for alleged violations of the HIPAA Privacy Rule’s right of access requirements. This marks OCR’s 52nd enforcement action under its Right of Access Initiative. As with past enforcement actions, OCR has emphasized that right of access continues to be a priority. OCR settled with Memorial Healthcare System for $60,000 after investigating a complaint from an individual that he was not given timely access to his medical records, even after multiple requests via the patient portal, mail, and phone. According to the Notice of Proposed Determination, the individual did not receive his records until September 2021, despite his initial records request in December 2020. HIPAA-regulated entities are required to provide access to protected health information (PHI) within 30 days of receiving a request by an individual or their personal representative, unless information is not readily accessible, in which case the entity may extend the time by no more than an additional 30 days.

    Takeaways for HIPAA-regulated entities

    As OCR continues investigations under its Right of Access Initiative and its Risk Analysis Initiative, HIPAA-regulated entities should start 2025 by reviewing their compliance with HIPAA. Covered entities should take steps to strengthen training for their workforce members who receive record access requests from patients or their personal representatives and for workforce members who are involved in the breach notification process. Covered entities should consider specialized training for certain job roles to ensure that workforce members are adequately trained on HIPAA policies and procedures.

    OCR’s enforcement actions emphasize the importance of comprehensive security risk analyses. Covered entities should ensure that they are conducting a comprehensive and compliant enterprise-wide assessment of potential security risks and vulnerabilities that addresses any factors that could affect the confidentiality, integrity, and availability of ePHI. The security risk analysis should also identify all of the PHI received, maintained, or transmitted by the organization. Finally, HIPAA-regulated entities must address deficiencies identified within security risk analyses and implement adequate safeguards to preserve the confidentiality, integrity, and availability of ePHI.

    OCR Action

    Practices

    HealthcareHealthcare Regulatory & ComplianceHealth Information - Privacy, Security & Data Sharing

    Industries

    Healthcare

    Insights And Happenings

    • Alert

      Massachusetts enacts major revisions to HealthCare Transaction Notification Law

      Feb 5, 2025
    • Article

      Data center investment growth creates opportunities and challenges

      Jan 29, 2025
    • Article

      Healthcare Transactions in 2025: Insights from Nixon Peabody and BDO

      Jan 28, 2025
    The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.

    Subscribe to stay informed of the latest legal news, alerts, and business trends.Subscribe

    • People
    • Capabilities
    • Insights
    • About
    • Locations
    • Events
    • Careers
    • Alumni
    • Cookie Preferences
    • Privacy Policy
    • Terms of Use
    • Accessibility Statement
    • Statement of Client Rights
    • Purchase Order Terms & Conditions
    • Nixon Peabody International LLC
    • PAL
    © 2025 Nixon Peabody. All rights reserved