The US Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced on June 7, 2025, that it had reached a settlement with a behavioral health provider, resolving potential violations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security rules. The provider specializes in psychological and psychiatric services to residents of long-term care and assisted living facilities.
The settlement resolves an investigation OCR initiated in May 2023 after receiving a complaint alleging that the provider impermissibly disclosed electronic protected health information (ePHI), including patient names, dates of birth, patient identification numbers, facilities, and diagnoses, by making patient discharge summaries publicly accessible online. OCR substantiated the allegations and confirmed that the ePHI was publicly accessible online.
According to the provider, a coding error in a now-discontinued pilot program for an online patient portal caused the ePHI to be exposed and cached by search engine providers from at least December 2021 until May 19, 2023. OCR’s investigation found that the provider impermissibly disclosed the ePHI of 35 individuals when it allowed the discharge summaries and initial assessments of those individuals to be publicly available online.
OCR expanded its investigation in July 2024 after the provider experienced a breach of its network on August 29, 2023, resulting from a compromised account. A threat actor claimed to have exfiltrated data and demanded payment to prevent posting the ePHI on the dark web. The provider issued breach notifications related to the August 2023 incident to HHS, 171,871 affected individuals, and the media.
Based on its investigation into both incidents, OCR determined that the provider failed to conduct an accurate and thorough risk analysis to assess the potential risks and vulnerabilities to the ePHI that it held.
Under the terms of the resolution agreement, the provider agreed to pay $225,000 to OCR and implement a corrective action plan, which OCR will monitor for two years. As part of that plan, the provider committed to taking steps to ensure HIPAA compliance and protect the security of ePHI, including:
- Annually reviewing and updating, as necessary, its risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI;
- Developing and implementing a risk management plan to address and mitigate security risks and vulnerabilities identified in the risk analysis;
- Developing, maintaining, and revising, as necessary, certain written policies and procedures to comply with the HIPAA rules; and
- Providing annual training for each workforce member with access to PHI on the provider’s HIPAA policies and procedures.
Compliance Perspective
Issue
OCR enforces the HIPAA Privacy, Security, and Breach Notification rules, which outline the responsibilities of covered entities—such as health plans, healthcare clearinghouses, and most healthcare providers—and their business associates to protect the privacy and security of PHI. A critical component of the Security Rule is the risk analysis provision, which requires covered entities to conduct an accurate and thorough assessment of potential risks and vulnerabilities to the ePHI they maintain. This risk analysis forms the foundation of effective cybersecurity practices and is essential for compliance with the HIPAA Security Rule. Given that ransomware and hacking are the primary cyberthreats facing healthcare organizations, the risk analysis provision is a key requirement to protect ePHI.
Discussion Points
- Review and update HIPAA-related policies and procedures to ensure they include the requirement for regular and accurate risk analyses. Make sure these policies cover the protection of PHI and comply with the Privacy, Security, and Breach Notification rules. Update the policies as needed when new threats or technologies arise.
- Provide training for all staff with access to PHI on HIPAA regulations, risk analysis, and protecting ePHI. Include guidance on recognizing common security threats like phishing and compromised accounts. Offer refresher training at least once a year and whenever there are changes in risks or requirements.
- Conduct regular audits to verify compliance with HIPAA policies and staff understanding of PHI protection. Confirm that risk analyses are being done properly and on time. Also, monitor systems to quickly identify and respond to any security issues.
*This news alert has been prepared by Med-Net Concepts, Inc. for informational purposes only and is not intended to provide legal advice.*