On July 7, 2025, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a $225,000 financial settlement and two-year corrective action plan (CAP) with Deer Oaks—The Behavioral Health Solution, a provider of psychological and psychiatric services to long-term care and assisted living residents (Deer Oaks). The March 19, 2025 Resolution Agreement describes Deer Oaks as an affiliated covered entity (ACE) under HIPAA, which means that it is comprised of multiple HIPAA covered entities that are under common ownership or control and which self-designate as an ACE.
Complaint, breach, and investigation into alleged ePHI disclosure
In December 2021, OCR received a complaint alleging that one of the covered entities within the Deer Oaks ACE impermissibly disclosed electronic protected health information (ePHI) through patient discharge summaries that were publicly accessible online due to a coding error. OCR commenced an investigation in May 2023 and determined that the ePHI of 35 individuals was exposed and cached by search engine providers from December 2021, if not earlier, until May 2023.
During the course of this investigation, Deer Oaks notified OCR of a network data breach caused by a compromised account, impacting 171,871 individuals. Notably, although a key finding in OCR’s investigation of Deer Oaks is the lack of an accurate and thorough security risk analysis, OCR does not cite this enforcement action as falling within its Risk Analysis Initiative, likely because OCR also found that Deer Oaks impermissibly disclosed PHI.
Importance of “living” security risk analysis
In an email release describing the enforcement, OCR Director Paula M. Stannard stated that “common deficiencies” OCR sees through its Security Rule enforcement efforts include a lack of a security risk analysis or an organization’s failure to update its risk analysis when it implements new technologies or expands operations that affect the security of the organization’s electronic protected health information.
While HIPAA-regulated entities should ensure that they are conducting an annual security risk analysis, it also is important to ensure that this analysis is updated, as necessary, if the organization adopts environmental or operational changes that impact the security of ePHI, which is a HIPAA regulatory requirement.
Considerations for affiliated covered entities
As many healthcare providers operate within systems with other healthcare providers under common control or ownership, this enforcement serves as a reminder to take care when considering self-designation as an ACE and, if choosing to self-designate, to consider the liability surrounding the ACE.
For example, the HIPAA regulations state that a covered entity participating in an ACE is jointly and severally liable for a civil monetary penalty for a HIPAA violation of the ACE, unless it is established that another ACE member was responsible for the violation. Similarly, the Deer Oaks settlement is between OCR and the ACE.
When structuring an ACE, the entities involved may decide to internally segment that potential liability, contractually or otherwise. The possibility of joint and several liability also emphasizes the need for strong HIPAA compliance across the ACE, such as through a unified compliance program.